diff options
-rw-r--r-- | fuzz/qpdf_extra/15316.fuzz | 3 | ||||
-rw-r--r-- | fuzz/qpdf_extra/15390.fuzz | bin | 0 -> 821 bytes | |||
-rw-r--r-- | libqpdf/QPDF.cc | 6 |
3 files changed, 9 insertions, 0 deletions
diff --git a/fuzz/qpdf_extra/15316.fuzz b/fuzz/qpdf_extra/15316.fuzz new file mode 100644 index 00000000..0c29ddc2 --- /dev/null +++ b/fuzz/qpdf_extra/15316.fuzz @@ -0,0 +1,3 @@ + 1 0 obj<<2147483647 0 R>> +endobj +trailer<</Root 1 0 R>>
\ No newline at end of file diff --git a/fuzz/qpdf_extra/15390.fuzz b/fuzz/qpdf_extra/15390.fuzz Binary files differnew file mode 100644 index 00000000..e8233c9a --- /dev/null +++ b/fuzz/qpdf_extra/15390.fuzz diff --git a/libqpdf/QPDF.cc b/libqpdf/QPDF.cc index f6d16e4d..a774bd42 100644 --- a/libqpdf/QPDF.cc +++ b/libqpdf/QPDF.cc @@ -4,6 +4,7 @@ #include <vector> #include <map> #include <algorithm> +#include <limits> #include <stdlib.h> #include <string.h> #include <memory.h> @@ -2151,6 +2152,11 @@ QPDFObjectHandle QPDF::makeIndirectObject(QPDFObjectHandle oh) { int max_objid = toI(getObjectCount()); + if (max_objid == std::numeric_limits<int>::max()) + { + throw std::range_error( + "max object id is too high to create new objects"); + } QPDFObjGen next(max_objid + 1, 0); this->m->obj_cache[next] = ObjCache(QPDFObjectHandle::ObjAccessor::getObject(oh), -1, -1); |