From aa188d02031df0c96e785d4ea0ef0f95599827d1 Mon Sep 17 00:00:00 2001
From: Sebastian Rasmussen <sebras@gmail.com>
Date: Thu, 1 Feb 2018 16:47:12 +0100
Subject: Do not allow out of range object numbers inside object stream.

---
 source/pdf/pdf-xref.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/source/pdf/pdf-xref.c b/source/pdf/pdf-xref.c
index 5deeaefa..5ff13f55 100644
--- a/source/pdf/pdf-xref.c
+++ b/source/pdf/pdf-xref.c
@@ -1594,10 +1594,12 @@ pdf_load_obj_stm(fz_context *ctx, pdf_document *doc, int num, pdf_lexbuf *buf, i
 		count = pdf_to_int(ctx, pdf_dict_get(ctx, objstm, PDF_NAME_N));
 		first = pdf_to_int(ctx, pdf_dict_get(ctx, objstm, PDF_NAME_First));
 
-		if (count < 0)
-			fz_throw(ctx, FZ_ERROR_GENERIC, "negative number of objects in object stream");
-		if (first < 0)
-			fz_throw(ctx, FZ_ERROR_GENERIC, "first object in object stream resides outside stream");
+		if (count < 0 || count > PDF_MAX_OBJECT_NUMBER)
+			fz_throw(ctx, FZ_ERROR_GENERIC, "number of objects in object stream out of range");
+		if (first < 0 || first > PDF_MAX_OBJECT_NUMBER
+				|| count < 0 || count > PDF_MAX_OBJECT_NUMBER
+				|| first + count - 1 > PDF_MAX_OBJECT_NUMBER)
+			fz_throw(ctx, FZ_ERROR_GENERIC, "object stream object numbers are out of range");
 
 		numbuf = fz_calloc(ctx, count, sizeof(*numbuf));
 		ofsbuf = fz_calloc(ctx, count, sizeof(*ofsbuf));
-- 
cgit v1.2.3