Skip to content
Permalink
Browse files Browse the repository at this point in the history
Fix some pipelines to be safe if downstream write fails (fuzz issue 2…
…8262)
  • Loading branch information
jberkenbilt committed Jan 4, 2021
1 parent a9bdeeb commit dc92574
Show file tree
Hide file tree
Showing 6 changed files with 17 additions and 6 deletions.
6 changes: 6 additions & 0 deletions ChangeLog
@@ -1,3 +1,9 @@
2021-01-04 Jay Berkenbilt <ejb@ql.org>

* Move getNext()->write() calls in some pipelines to ensure that
state gates properly reset even if the next pipeline's write
throws an exception (fuzz issue 28262).

2021-01-03 Jay Berkenbilt <ejb@ql.org>

* Don't include -o nospace with zsh completion setup so file
Expand Down
Binary file added fuzz/qpdf_extra/28262.fuzz
Binary file not shown.
2 changes: 1 addition & 1 deletion libqpdf/Pl_AES_PDF.cc
Expand Up @@ -238,6 +238,6 @@ Pl_AES_PDF::flush(bool strip_padding)
}
}
}
getNext()->write(this->outbuf, bytes);
this->offset = 0;
getNext()->write(this->outbuf, bytes);
}
7 changes: 5 additions & 2 deletions libqpdf/Pl_ASCII85Decoder.cc
Expand Up @@ -119,10 +119,13 @@ Pl_ASCII85Decoder::flush()

QTC::TC("libtests", "Pl_ASCII85Decoder partial flush",
(this->pos == 5) ? 0 : 1);
getNext()->write(outbuf, this->pos - 1);

// Reset before calling getNext()->write in case that throws an
// exception.
auto t = this->pos - 1;
this->pos = 0;
memset(this->inbuf, 117, 5);

getNext()->write(outbuf, t);
}

void
Expand Down
6 changes: 4 additions & 2 deletions libqpdf/Pl_ASCIIHexDecoder.cc
Expand Up @@ -97,12 +97,14 @@ Pl_ASCIIHexDecoder::flush()

QTC::TC("libtests", "Pl_ASCIIHexDecoder partial flush",
(this->pos == 2) ? 0 : 1);
getNext()->write(&ch, 1);

// Reset before calling getNext()->write in case that throws an
// exception.
this->pos = 0;
this->inbuf[0] = '0';
this->inbuf[1] = '0';
this->inbuf[2] = '\0';

getNext()->write(&ch, 1);
}

void
Expand Down
2 changes: 1 addition & 1 deletion libqpdf/Pl_Count.cc
Expand Up @@ -27,8 +27,8 @@ Pl_Count::write(unsigned char* buf, size_t len)
if (len)
{
this->m->count += QIntC::to_offset(len);
getNext()->write(buf, len);
this->m->last_char = buf[len - 1];
getNext()->write(buf, len);
}
}

Expand Down

0 comments on commit dc92574

Please sign in to comment.