Check for overflow in page labels (fuzz issue 23599)

author: Jay Berkenbilt <ejb@ql.org> 2020-10-22 11:45:01 +0200
committer: Jay Berkenbilt <ejb@ql.org> 2020-10-22 11:49:24 +0200
commit: c1684eae9144129027642f5069a0fd97f0559ec8 (patch)
tree: 9c899a6fa273f6a78ecd8b957d7c34c66f70f857
parent: 7f4a4df919f0b305ba7d3b63ed722ab38e3eb2d5 (diff)
download: qpdf-c1684eae9144129027642f5069a0fd97f0559ec8.tar.zst
3 files changed, 1 insertions, 1 deletions
diff --git a/TODO b/TODO
index a2854a2e..092dfe1f 100644
--- a/TODO
+++ b/TODO
@@ -65,7 +65,6 @@ Fuzz Errors
 * https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=<N>
 
 * New:
-  * 23599: integer overflow: https://oss-fuzz.com/testcase?key=6290807920525312
   * 23642: leak: https://oss-fuzz.com/testcase-detail/4906569690251264
 
 * Ignoring these:
diff --git a/fuzz/qpdf_extra/23599.fuzz b/fuzz/qpdf_extra/23599.fuzz
new file mode 100644
index 00000000..cd290b1a
--- /dev/null
+++ b/fuzz/qpdf_extra/23599.fuzz
diff --git a/libqpdf/QPDFPageLabelDocumentHelper.cc b/libqpdf/QPDFPageLabelDocumentHelper.cc
index a650fa9c..4be9073f 100644
--- a/libqpdf/QPDFPageLabelDocumentHelper.cc
+++ b/libqpdf/QPDFPageLabelDocumentHelper.cc
@@ -53,6 +53,7 @@ QPDFPageLabelDocumentHelper::getLabelForPage(long long page_idx)
     {
         start = St.getIntValue();
     }
+    QIntC::range_check(start, offset);
     start += offset;
     result = QPDFObjectHandle::newDictionary();
     result.replaceOrRemoveKey("/S", S);
author	Jay Berkenbilt <ejb@ql.org>	2020-10-22 11:45:01 +0200
committer	Jay Berkenbilt <ejb@ql.org>	2020-10-22 11:49:24 +0200
commit	c1684eae9144129027642f5069a0fd97f0559ec8 (patch)
tree	9c899a6fa273f6a78ecd8b957d7c34c66f70f857
parent	7f4a4df919f0b305ba7d3b63ed722ab38e3eb2d5 (diff)
download	qpdf-c1684eae9144129027642f5069a0fd97f0559ec8.tar.zst