From 9094fb1f8eed9f869d2bf90d99e7ab9ac913d76c Mon Sep 17 00:00:00 2001 From: Jay Berkenbilt Date: Sun, 3 Nov 2019 18:54:39 -0500 Subject: Fix two additional fuzz test cases --- fuzz/qpdf_extra/18241.fuzz | Bin 0 -> 73 bytes fuzz/qpdf_extra/18247.fuzz | Bin 0 -> 569 bytes libqpdf/QPDF.cc | 5 +++-- 3 files changed, 3 insertions(+), 2 deletions(-) create mode 100644 fuzz/qpdf_extra/18241.fuzz create mode 100644 fuzz/qpdf_extra/18247.fuzz diff --git a/fuzz/qpdf_extra/18241.fuzz b/fuzz/qpdf_extra/18241.fuzz new file mode 100644 index 00000000..c18cfe6c Binary files /dev/null and b/fuzz/qpdf_extra/18241.fuzz differ diff --git a/fuzz/qpdf_extra/18247.fuzz b/fuzz/qpdf_extra/18247.fuzz new file mode 100644 index 00000000..35881392 Binary files /dev/null and b/fuzz/qpdf_extra/18247.fuzz differ diff --git a/libqpdf/QPDF.cc b/libqpdf/QPDF.cc index 864ac2d5..09de87e3 100644 --- a/libqpdf/QPDF.cc +++ b/libqpdf/QPDF.cc @@ -688,7 +688,7 @@ QPDF::read_xref(qpdf_offset_t xref_offset) { max_obj = std::max(max_obj, *(this->m->deleted_objects.rbegin())); } - if (size - 1 != max_obj) + if ((size < 1) || (size - 1 != max_obj)) { QTC::TC("qpdf", "QPDF xref size mismatch"); warn(QPDFExc(qpdf_e_damaged_pdf, this->m->file->getName(), "", 0, @@ -1206,7 +1206,8 @@ QPDF::processXRefStream(qpdf_offset_t xref_offset, QPDFObjectHandle& xref_obj) // an uncompressed object record, in which case the generation // number appears as the third field. int obj = toI(indx.at(cur_chunk)); - if ((std::numeric_limits::max() - obj) < chunk_count) + if ((obj < 0) || + ((std::numeric_limits::max() - obj) < chunk_count)) { std::ostringstream msg; msg << "adding " << chunk_count << " to " << obj -- cgit v1.2.3-54-g00ecf