From 47a38a942d34a65524dca2e1255c1b4ba02d7eb6 Mon Sep 17 00:00:00 2001 From: Jay Berkenbilt Date: Wed, 28 Aug 2019 09:32:58 -0400 Subject: Detect stream in object stream, fixing fuzz 16214 It's detected in QPDFWriter instead of at parse time because I can't figure out how to construct a test case in a reasonable time. This commit moves the fuzz file into the regular test suite for a QTC coverage case. --- libqpdf/QPDFWriter.cc | 14 +++++++++++++- libqpdf/QPDF_Stream.cc | 3 ++- 2 files changed, 15 insertions(+), 2 deletions(-) (limited to 'libqpdf') diff --git a/libqpdf/QPDFWriter.cc b/libqpdf/QPDFWriter.cc index 895f98ce..f5fa2bc9 100644 --- a/libqpdf/QPDFWriter.cc +++ b/libqpdf/QPDFWriter.cc @@ -2012,7 +2012,19 @@ QPDFWriter::writeObjectStream(QPDFObjectHandle object) // pass 1. indicateProgress(true, false); } - writeObject(this->m->pdf.getObjectByObjGen(obj), count); + QPDFObjectHandle obj_to_write = + this->m->pdf.getObjectByObjGen(obj); + if (obj_to_write.isStream()) + { + // This condition occurred in a fuzz input. Ideally we + // should block it at at parse time, but it's not + // clear to me how to construct a case for this. + QTC::TC("qpdf", "QPDFWriter stream in ostream"); + obj_to_write.warnIfPossible( + "stream found inside object stream; treating as null"); + obj_to_write = QPDFObjectHandle::newNull(); + } + writeObject(obj_to_write, count); this->m->xref[new_obj] = QPDFXRefEntry(2, new_id, count); } diff --git a/libqpdf/QPDF_Stream.cc b/libqpdf/QPDF_Stream.cc index 4f20c604..dd2796e8 100644 --- a/libqpdf/QPDF_Stream.cc +++ b/libqpdf/QPDF_Stream.cc @@ -105,7 +105,8 @@ QPDF_Stream::setStreamDescription() { setDescription( this->qpdf, - "stream object " + QUtil::int_to_string(this->objid) + " " + + this->qpdf->getFilename() + + ", stream object " + QUtil::int_to_string(this->objid) + " " + QUtil::int_to_string(this->generation)); } -- cgit v1.2.3-54-g00ecf