diff options
author | Jay Berkenbilt <ejb@ql.org> | 2019-08-27 16:58:20 +0200 |
---|---|---|
committer | Jay Berkenbilt <ejb@ql.org> | 2019-08-27 19:08:07 +0200 |
commit | 456c285b0277315537c0a402a8d35dff3bec3c10 (patch) | |
tree | ea5eaa788178226a90f707acb66ddb885e332427 /libqpdf | |
parent | ad8081daf597b8f46696d5ddae82770ab419ad82 (diff) | |
download | qpdf-456c285b0277315537c0a402a8d35dff3bec3c10.tar.zst |
Fix fuzz issue 16172 (overflow checking in OffsetInputSource)
Diffstat (limited to 'libqpdf')
-rw-r--r-- | libqpdf/OffsetInputSource.cc | 23 | ||||
-rw-r--r-- | libqpdf/qpdf/OffsetInputSource.hh | 1 |
2 files changed, 24 insertions, 0 deletions
diff --git a/libqpdf/OffsetInputSource.cc b/libqpdf/OffsetInputSource.cc index 2923c388..b6dae255 100644 --- a/libqpdf/OffsetInputSource.cc +++ b/libqpdf/OffsetInputSource.cc @@ -1,10 +1,20 @@ #include <qpdf/OffsetInputSource.hh> +#include <limits> +#include <sstream> +#include <stdexcept> OffsetInputSource::OffsetInputSource(PointerHolder<InputSource> proxied, qpdf_offset_t global_offset) : proxied(proxied), global_offset(global_offset) { + if (global_offset < 0) + { + throw std::logic_error( + "OffsetInputSource constructed with negative offset"); + } + this->max_safe_offset = + std::numeric_limits<qpdf_offset_t>::max() - global_offset; } OffsetInputSource::~OffsetInputSource() @@ -34,12 +44,25 @@ OffsetInputSource::seek(qpdf_offset_t offset, int whence) { if (whence == SEEK_SET) { + if (offset > this->max_safe_offset) + { + std::ostringstream msg; + msg << "seeking to " << offset + << " offset by " << global_offset + << " would cause an overflow of the offset type"; + throw std::range_error(msg.str()); + } this->proxied->seek(offset + global_offset, whence); } else { this->proxied->seek(offset, whence); } + if (tell() < 0) + { + throw std::runtime_error( + "offset input source: seek before beginning of file"); + } } void diff --git a/libqpdf/qpdf/OffsetInputSource.hh b/libqpdf/qpdf/OffsetInputSource.hh index d541db1a..fef23760 100644 --- a/libqpdf/qpdf/OffsetInputSource.hh +++ b/libqpdf/qpdf/OffsetInputSource.hh @@ -24,6 +24,7 @@ class OffsetInputSource: public InputSource private: PointerHolder<InputSource> proxied; qpdf_offset_t global_offset; + qpdf_offset_t max_safe_offset; }; #endif // QPDF_OFFSETINPUTSOURCE_HH |