Add range check in QPDFNumberTreeObjectHelper (fuzz issue 37740)

author: Jay Berkenbilt <ejb@ql.org> 2021-11-04 18:52:47 +0100
committer: Jay Berkenbilt <ejb@ql.org> 2021-11-04 19:03:24 +0100
commit: a84a0b248768dcbab7fc007bb22a258cac9e4131 (patch)
tree: 2d05c81cf62adef6192e5038c5a41639bb65730d
parent: ec09b914434b8dbc23bf6043b13ee5d5ecf4c2a6 (diff)
download: qpdf-a84a0b248768dcbab7fc007bb22a258cac9e4131.tar.zst
3 files changed, 4 insertions, 0 deletions
diff --git a/ChangeLog b/ChangeLog
index 56a2be61..45b70fea 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,7 @@
 2021-11-04  Jay Berkenbilt  <ejb@ql.org>
 
+	* Add range check in QPDFNumberTreeObjectHelper (fuzz issue 37740).
+
 	* Add QIntC::range_check_substract to do range checking on
 	subtraction, which has different boundary conditions from
 	addition.
diff --git a/fuzz/qpdf_extra/37740.fuzz b/fuzz/qpdf_extra/37740.fuzz
new file mode 100644
index 00000000..64189f69
--- /dev/null
+++ b/fuzz/qpdf_extra/37740.fuzz
diff --git a/libqpdf/QPDFNumberTreeObjectHelper.cc b/libqpdf/QPDFNumberTreeObjectHelper.cc
index be2f2f16..7f510497 100644
--- a/libqpdf/QPDFNumberTreeObjectHelper.cc
+++ b/libqpdf/QPDFNumberTreeObjectHelper.cc
@@ -1,5 +1,6 @@
 #include <qpdf/QPDFNumberTreeObjectHelper.hh>
 #include <qpdf/NNTree.hh>
+#include <qpdf/QIntC.hh>
 
 class NumberTreeDetails: public NNTreeDetails
 {
@@ -235,6 +236,7 @@ QPDFNumberTreeObjectHelper::findObjectAtOrBelow(
         return false;
     }
     oh = i->second;
+    QIntC::range_check_substract(idx, i->first);
     offset = idx - i->first;
     return true;
 }
author	Jay Berkenbilt <ejb@ql.org>	2021-11-04 18:52:47 +0100
committer	Jay Berkenbilt <ejb@ql.org>	2021-11-04 19:03:24 +0100
commit	a84a0b248768dcbab7fc007bb22a258cac9e4131 (patch)
tree	2d05c81cf62adef6192e5038c5a41639bb65730d
parent	ec09b914434b8dbc23bf6043b13ee5d5ecf4c2a6 (diff)
download	qpdf-a84a0b248768dcbab7fc007bb22a258cac9e4131.tar.zst