From 9f879e14e5645aff6b4be27271f2196c05f5a193 Mon Sep 17 00:00:00 2001
From: Robin Watts <robin.watts@artifex.com>
Date: Mon, 23 Sep 2013 17:30:50 +0100
Subject: Bug 694565: Cope with negative xref counts when reading old trailers.

This was causing an infinite loop.
---
 source/pdf/pdf-xref.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/source/pdf/pdf-xref.c b/source/pdf/pdf-xref.c
index 01a584e3..6d440418 100644
--- a/source/pdf/pdf-xref.c
+++ b/source/pdf/pdf-xref.c
@@ -363,6 +363,8 @@ pdf_xref_size_from_old_trailer(pdf_document *doc, pdf_lexbuf *buf)
 		if (!s)
 			fz_throw(doc->ctx, FZ_ERROR_GENERIC, "invalid range marker in xref");
 		len = fz_atoi(fz_strsep(&s, " "));
+		if (len <= 0)
+			fz_throw(doc->ctx, FZ_ERROR_GENERIC, "xref range marker must be positive");
 
 		/* broken pdfs where the section is not on a separate line */
 		if (s && *s != '\0')
-- 
cgit v1.2.3