From 47a38a942d34a65524dca2e1255c1b4ba02d7eb6 Mon Sep 17 00:00:00 2001
From: Jay Berkenbilt <ejb@ql.org>
Date: Wed, 28 Aug 2019 09:32:58 -0400
Subject: Detect stream in object stream, fixing fuzz 16214

It's detected in QPDFWriter instead of at parse time because I can't
figure out how to construct a test case in a reasonable time. This
commit moves the fuzz file into the regular test suite for a QTC
coverage case.
---
 libqpdf/QPDFWriter.cc | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

(limited to 'libqpdf/QPDFWriter.cc')

diff --git a/libqpdf/QPDFWriter.cc b/libqpdf/QPDFWriter.cc
index 895f98ce..f5fa2bc9 100644
--- a/libqpdf/QPDFWriter.cc
+++ b/libqpdf/QPDFWriter.cc
@@ -2012,7 +2012,19 @@ QPDFWriter::writeObjectStream(QPDFObjectHandle object)
                 // pass 1.
                 indicateProgress(true, false);
 	    }
-	    writeObject(this->m->pdf.getObjectByObjGen(obj), count);
+            QPDFObjectHandle obj_to_write =
+                this->m->pdf.getObjectByObjGen(obj);
+            if (obj_to_write.isStream())
+            {
+                // This condition occurred in a fuzz input. Ideally we
+                // should block it at at parse time, but it's not
+                // clear to me how to construct a case for this.
+                QTC::TC("qpdf", "QPDFWriter stream in ostream");
+                obj_to_write.warnIfPossible(
+                    "stream found inside object stream; treating as null");
+                obj_to_write = QPDFObjectHandle::newNull();
+            }
+	    writeObject(obj_to_write, count);
 
 	    this->m->xref[new_obj] = QPDFXRefEntry(2, new_id, count);
 	}
-- 
cgit v1.2.3-54-g00ecf