diff options
| author | Jay Berkenbilt <ejb@ql.org> | 2020-11-21 19:12:31 +0100 |
|---|---|---|
| committer | Jay Berkenbilt <ejb@ql.org> | 2020-11-21 19:43:04 +0100 |
| commit | 9d6448157175d8e03a42d6942d4c058b93daf42b (patch) | |
| tree | 5fd49e7404b598735128fd02391fc9b0dee2aa17 /include | |
| parent | 4b4b31bf23daa1479f16ed368316df603fb2407f (diff) | |
| download | qpdf-9d6448157175d8e03a42d6942d4c058b93daf42b.tar.zst | |
Handle negative numbers in QIntC::range_check (fuzz issue 26994)
Diffstat (limited to 'include')
| -rw-r--r-- | include/qpdf/QIntC.hh | 14 |
1 files changed, 14 insertions, 0 deletions
diff --git a/include/qpdf/QIntC.hh b/include/qpdf/QIntC.hh index 5f7f21bb..e3ea0a28 100644 --- a/include/qpdf/QIntC.hh +++ b/include/qpdf/QIntC.hh @@ -226,6 +226,11 @@ namespace QIntC // QIntC = qpdf Integer Conversion template <typename T> void range_check(T const& cur, T const& delta) { + if ((delta > 0) != (cur > 0)) + { + return; + } + if ((delta > 0) && ((std::numeric_limits<T>::max() - cur) < delta)) { @@ -235,6 +240,15 @@ namespace QIntC // QIntC = qpdf Integer Conversion << " would cause an integer overflow"; throw std::range_error(msg.str()); } + else if ((delta < 0) && + ((std::numeric_limits<T>::min() - cur) > delta)) + { + std::ostringstream msg; + msg.imbue(std::locale::classic()); + msg << "adding " << delta << " to " << cur + << " would cause an integer underflow"; + throw std::range_error(msg.str()); + } } }; |