Solve SEGV in mutool clean with fuzzed file.

While attempting to debug a valgrind issue with:

  013b2dcbd0207501e922910ac335eb59_asan_heap-oob_a59696_5952_500.pdf

I found that mutool -difggg on it failed with a SEGV. This is due to
us parsing an array with a large invalid indirection in it (e.g.
[123456789 0 R]) and then the renumbering code assuming this is valid
and accessing off the end of an array.

1 files changed, 11 insertions, 2 deletions

diff --git a/source/pdf/pdf-write.c b/source/pdf/pdf-write.c
index df432c21..36fda444 100644
--- a/source/pdf/pdf-write.c
+++ b/source/pdf/pdf-write.c
@@ -711,6 +711,7 @@ static void compactxref(pdf_document *doc, pdf_write_options *opts)
 static void renumberobj(pdf_document *doc, pdf_write_options *opts, pdf_obj *obj)
 {
 	int i;
+	int xref_len = pdf_xref_len(doc);
 
 	if (pdf_is_dict(obj))
 	{
@@ -721,7 +722,11 @@ static void renumberobj(pdf_document *doc, pdf_write_options *opts, pdf_obj *obj
 			pdf_obj *val = pdf_dict_get_val(obj, i);
 			if (pdf_is_indirect(val))
 			{
-				val = pdf_new_indirect(doc, opts->renumber_map[pdf_to_num(val)], 0);
+				int o = pdf_to_num(val);
+				if (o >= xref_len)
+					val = pdf_new_null(doc);
+				else
+					val = pdf_new_indirect(doc, opts->renumber_map[o], 0);
 				pdf_dict_put(obj, key, val);
 				pdf_drop_obj(val);
 			}
@@ -740,7 +745,11 @@ static void renumberobj(pdf_document *doc, pdf_write_options *opts, pdf_obj *obj
 			pdf_obj *val = pdf_array_get(obj, i);
 			if (pdf_is_indirect(val))
 			{
-				val = pdf_new_indirect(doc, opts->renumber_map[pdf_to_num(val)], 0);
+				int o = pdf_to_num(val);
+				if (o >= xref_len)
+					val = pdf_new_null(doc);
+				else
+					val = pdf_new_indirect(doc, opts->renumber_map[o], 0);
 				pdf_array_put(obj, i, val);
 				pdf_drop_obj(val);
 			}