diff options
author | m-holger <m-holger@kubitscheck.org> | 2024-01-17 15:07:37 +0100 |
---|---|---|
committer | m-holger <m-holger@kubitscheck.org> | 2024-01-17 15:11:57 +0100 |
commit | f0343565edd3679210c598d3361ad9530829e73c (patch) | |
tree | 2c887b82e706e4df507d7f6a66e8058b7c123354 | |
parent | 6b80e0f14b296c21d38a92e25af72da9bf5757ae (diff) | |
download | qpdf-f0343565edd3679210c598d3361ad9530829e73c.tar.zst |
Tighten checks for invalid indirect references during xref reconstruction
-rw-r--r-- | libqpdf/QPDF.cc | 4 | ||||
-rw-r--r-- | qpdf/qpdf.testcov | 1 | ||||
-rw-r--r-- | qpdf/qtest/qpdf/obj0-check.out | 1 |
3 files changed, 5 insertions, 1 deletions
diff --git a/libqpdf/QPDF.cc b/libqpdf/QPDF.cc index 8cff3dfd..01158ce2 100644 --- a/libqpdf/QPDF.cc +++ b/libqpdf/QPDF.cc @@ -1195,6 +1195,10 @@ QPDF::insertFreeXrefEntry(QPDFObjGen og) void QPDF::insertReconstructedXrefEntry(int obj, qpdf_offset_t f1, int f2) { + if (!(obj > 0 && 0 <= f2 && f2 < 65535)) { + QTC::TC("qpdf", "QPDF xref overwrite invalid objgen"); + return; + } QPDFObjGen og(obj, f2); if (!m->deleted_objects.count(obj)) { // deleted_objects stores the uncompressed objects removed from the xref table at the start diff --git a/qpdf/qpdf.testcov b/qpdf/qpdf.testcov index e7b6a8a2..51c3ea72 100644 --- a/qpdf/qpdf.testcov +++ b/qpdf/qpdf.testcov @@ -105,6 +105,7 @@ QPDF_encryption xref stream from encrypted file 0 QPDFJob unable to filter 0 QUtil non-trivial UTF-16 0 QPDF xref overwrite object 0 +QPDF xref overwrite invalid objgen 0 QPDF decoding error warning 0 qpdf-c called qpdf_init 0 qpdf-c called qpdf_cleanup 0 diff --git a/qpdf/qtest/qpdf/obj0-check.out b/qpdf/qtest/qpdf/obj0-check.out index 7a17e8a7..785131d4 100644 --- a/qpdf/qtest/qpdf/obj0-check.out +++ b/qpdf/qtest/qpdf/obj0-check.out @@ -5,5 +5,4 @@ checking obj0.pdf PDF Version: 1.3 File is not encrypted File is not linearized -WARNING: obj0.pdf (offset 15): object with ID 0 qpdf: operation succeeded with warnings |