summaryrefslogtreecommitdiff
path: root/pdf/pdf_xref.c
diff options
context:
space:
mode:
Diffstat (limited to 'pdf/pdf_xref.c')
-rw-r--r--pdf/pdf_xref.c30
1 files changed, 27 insertions, 3 deletions
diff --git a/pdf/pdf_xref.c b/pdf/pdf_xref.c
index 4a03751c..ab8a3364 100644
--- a/pdf/pdf_xref.c
+++ b/pdf/pdf_xref.c
@@ -273,7 +273,9 @@ pdf_read_new_xref_section(pdf_document *xref, fz_stream *stm, int i0, int i1, in
{
int i, n;
- if (i0 < 0 || i0 + i1 > xref->len)
+ if (i0 < 0 || i1 < 0)
+ fz_throw(xref->ctx, "negative xref stream entry index");
+ if (i0 + i1 > xref->len)
fz_throw(xref->ctx, "xref stream has too many entries");
for (i = i0; i < i0 + i1; i++)
@@ -347,6 +349,17 @@ pdf_read_new_xref(pdf_document *xref, pdf_lexbuf *buf)
w1 = pdf_to_int(pdf_array_get(obj, 1));
w2 = pdf_to_int(pdf_array_get(obj, 2));
+ if (w0 < 0)
+ fz_warn(ctx, "xref stream objects have corrupt type");
+ if (w1 < 0)
+ fz_warn(ctx, "xref stream objects have corrupt offset");
+ if (w2 < 0)
+ fz_warn(ctx, "xref stream objects have corrupt generation");
+
+ w0 = w0 < 0 ? 0 : w0;
+ w1 = w1 < 0 ? 0 : w1;
+ w2 = w2 < 0 ? 0 : w2;
+
index = pdf_dict_gets(trailer, "Index");
stm = pdf_open_stream_with_offset(xref, num, gen, trailer, stm_ofs);
@@ -434,12 +447,17 @@ pdf_read_xref_sections(pdf_document *xref, int ofs, pdf_lexbuf *buf)
xrefstmofs = pdf_to_int(pdf_dict_gets(trailer, "XRefStm"));
prevofs = pdf_to_int(pdf_dict_gets(trailer, "Prev"));
+ if (xrefstmofs < 0)
+ fz_throw(ctx, "negative xref stream offset");
+ if (prevofs < 0)
+ fz_throw(ctx, "negative xref stream offset for previous xref stream");
+
/* We only recurse if we have both xrefstm and prev.
* Hopefully this happens infrequently. */
if (xrefstmofs && prevofs)
pdf_read_xref_sections(xref, xrefstmofs, buf);
if (prevofs)
- ofs = prevofs;
+ ofs = prevofs;
else if (xrefstmofs)
ofs = xrefstmofs;
pdf_drop_obj(trailer);
@@ -477,7 +495,8 @@ pdf_load_xref(pdf_document *xref, pdf_lexbuf *buf)
if (!size)
fz_throw(ctx, "trailer missing Size entry");
- pdf_resize_xref(xref, size);
+ if (size > xref->len)
+ pdf_resize_xref(xref, size);
pdf_read_xref_sections(xref, xref->startxref, buf);
@@ -892,6 +911,11 @@ pdf_load_obj_stm(pdf_document *xref, int num, int gen, pdf_lexbuf *buf)
count = pdf_to_int(pdf_dict_gets(objstm, "N"));
first = pdf_to_int(pdf_dict_gets(objstm, "First"));
+ if (count < 0)
+ fz_throw(ctx, "negative number of objects in object stream");
+ if (first < 0)
+ fz_throw(ctx, "first object in object stream resides outside stream");
+
numbuf = fz_calloc(ctx, count, sizeof(int));
ofsbuf = fz_calloc(ctx, count, sizeof(int));
generated by cgit v1.2.3 (git 2.25.1) at 2024-10-29 12:08:02 +0000