Fix off by one error in xref resizing.

Found by zeniko in his fuzzing tests. Many thanks!

1 files changed, 4 insertions, 4 deletions

diff --git a/pdf/pdf_xref.c b/pdf/pdf_xref.c
index bee9e210..0be3740f 100644
--- a/pdf/pdf_xref.c
+++ b/pdf/pdf_xref.c
@@ -126,7 +126,7 @@ pdf_read_new_trailer(pdf_document *xref, pdf_lexbuf *buf)
 		int num, gen, stm_ofs, ofs;
 		ofs = fz_tell(xref->file);
 		xref->trailer = pdf_parse_ind_obj(xref, xref->file, buf, &num, &gen, &stm_ofs);
-		if (num > xref->len)
+		if (num >= xref->len)
 			pdf_resize_xref(xref, num+1);
 		xref->table[num].ofs = ofs;
 		xref->table[num].gen = gen;
@@ -334,7 +334,7 @@ pdf_read_new_xref(pdf_document *xref, pdf_lexbuf *buf)
 	{
 		int ofs = fz_tell(xref->file);
 		trailer = pdf_parse_ind_obj(xref, xref->file, buf, &num, &gen, &stm_ofs);
-		if (num > xref->len)
+		if (num >= xref->len)
 			pdf_resize_xref(xref, num+1);
 		xref->table[num].ofs = ofs;
 		xref->table[num].gen = gen;
@@ -355,7 +355,7 @@ pdf_read_new_xref(pdf_document *xref, pdf_lexbuf *buf)
 			fz_throw(ctx, "xref stream missing Size entry (%d %d R)", num, gen);
 
 		size = pdf_to_int(obj);
-		if (size > xref->len)
+		if (size >= xref->len)
 			pdf_resize_xref(xref, size);
 
 		if (num < 0 || num >= xref->len)
@@ -562,7 +562,7 @@ pdf_load_xref(pdf_document *xref, pdf_lexbuf *buf)
 	if (!size)
 		fz_throw(ctx, "trailer missing Size entry");
 
-	if (size > xref->len)
+	if (size >= xref->len)
 		pdf_resize_xref(xref, size);
 
 	pdf_read_xref_sections(xref, xref->startxref, buf);