aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--fuzz/qpdf_extra/18241.fuzzbin0 -> 73 bytes
-rw-r--r--fuzz/qpdf_extra/18247.fuzzbin0 -> 569 bytes
-rw-r--r--libqpdf/QPDF.cc5
3 files changed, 3 insertions, 2 deletions
diff --git a/fuzz/qpdf_extra/18241.fuzz b/fuzz/qpdf_extra/18241.fuzz
new file mode 100644
index 00000000..c18cfe6c
--- /dev/null
+++ b/fuzz/qpdf_extra/18241.fuzz
Binary files differ
diff --git a/fuzz/qpdf_extra/18247.fuzz b/fuzz/qpdf_extra/18247.fuzz
new file mode 100644
index 00000000..35881392
--- /dev/null
+++ b/fuzz/qpdf_extra/18247.fuzz
Binary files differ
diff --git a/libqpdf/QPDF.cc b/libqpdf/QPDF.cc
index 864ac2d5..09de87e3 100644
--- a/libqpdf/QPDF.cc
+++ b/libqpdf/QPDF.cc
@@ -688,7 +688,7 @@ QPDF::read_xref(qpdf_offset_t xref_offset)
{
max_obj = std::max(max_obj, *(this->m->deleted_objects.rbegin()));
}
- if (size - 1 != max_obj)
+ if ((size < 1) || (size - 1 != max_obj))
{
QTC::TC("qpdf", "QPDF xref size mismatch");
warn(QPDFExc(qpdf_e_damaged_pdf, this->m->file->getName(), "", 0,
@@ -1206,7 +1206,8 @@ QPDF::processXRefStream(qpdf_offset_t xref_offset, QPDFObjectHandle& xref_obj)
// an uncompressed object record, in which case the generation
// number appears as the third field.
int obj = toI(indx.at(cur_chunk));
- if ((std::numeric_limits<int>::max() - obj) < chunk_count)
+ if ((obj < 0) ||
+ ((std::numeric_limits<int>::max() - obj) < chunk_count))
{
std::ostringstream msg;
msg << "adding " << chunk_count << " to " << obj
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-06-29 14:41:53 +0200