Bug 698916: Indirect object numbers must be in range.

2 files changed, 4 insertions, 2 deletions

diff --git a/source/pdf/pdf-parse.c b/source/pdf/pdf-parse.c
index 7904ebd7..b4783ae8 100644
--- a/source/pdf/pdf-parse.c
+++ b/source/pdf/pdf-parse.c
@@ -623,6 +623,8 @@ pdf_parse_ind_obj(fz_context *ctx, pdf_document *doc,
 		fz_throw(ctx, FZ_ERROR_SYNTAX, "expected object number");
 	}
 	num = buf->i;
+	if (num < 0 || num > PDF_MAX_OBJECT_NUMBER)
+		fz_throw(ctx, FZ_ERROR_SYNTAX, "object number out of range");
 
 	tok = pdf_lex(ctx, file, buf);
 	if (tok != PDF_TOK_INT)
diff --git a/source/pdf/pdf-xref.c b/source/pdf/pdf-xref.c
index 4997ebe5..cfcd0a21 100644
--- a/source/pdf/pdf-xref.c
+++ b/source/pdf/pdf-xref.c
@@ -228,8 +228,8 @@ pdf_xref_entry *pdf_get_populating_xref_entry(fz_context *ctx, pdf_document *doc
 	}
 
 	/* Prevent accidental heap underflow */
-	if (num < 0)
-		fz_throw(ctx, FZ_ERROR_GENERIC, "object number must not be negative (%d)", num);
+	if (num < 0 || num > PDF_MAX_OBJECT_NUMBER)
+		fz_throw(ctx, FZ_ERROR_GENERIC, "object number out of range (%d)", num);
 
 	/* Return the pointer to the entry in the last section. */
 	xref = &doc->xref_sections[doc->num_xref_sections-1];