From bc8b6cc1e73686a97a3b2ea3160ec851c850d3f1 Mon Sep 17 00:00:00 2001
From: Tor Andersson <tor.andersson@artifex.com>
Date: Fri, 12 Jul 2013 16:11:03 +0200
Subject: Throw exception on invalid page objects when looking up page numbers.

Also handle exceptions when parsing link destinations.
---
 source/pdf/pdf-annot.c | 13 ++++++++++++-
 source/pdf/pdf-page.c  |  5 ++++-
 2 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/source/pdf/pdf-annot.c b/source/pdf/pdf-annot.c
index bfc31e9a..c571a0a1 100644
--- a/source/pdf/pdf-annot.c
+++ b/source/pdf/pdf-annot.c
@@ -57,11 +57,22 @@ pdf_parse_link_dest(pdf_document *doc, pdf_obj *dest)
 		ld.kind = FZ_LINK_NONE;
 		return ld;
 	}
+
 	obj = pdf_array_get(dest, 0);
 	if (pdf_is_int(obj))
 		ld.ld.gotor.page = pdf_to_int(obj);
 	else
-		ld.ld.gotor.page = pdf_lookup_page_number(doc, obj);
+	{
+		fz_try(doc->ctx)
+		{
+			ld.ld.gotor.page = pdf_lookup_page_number(doc, obj);
+		}
+		fz_catch(doc->ctx)
+		{
+			ld.kind = FZ_LINK_NONE;
+			return ld;
+		}
+	}
 
 	ld.kind = FZ_LINK_GOTO;
 	ld.ld.gotor.flags = 0;
diff --git a/source/pdf/pdf-page.c b/source/pdf/pdf-page.c
index 9f802927..66e72bc7 100644
--- a/source/pdf/pdf-page.c
+++ b/source/pdf/pdf-page.c
@@ -129,11 +129,14 @@ pdf_lookup_page_number(pdf_document *doc, pdf_obj *node)
 	int total = 0;
 	pdf_obj *parent, *parent2;
 
+	if (strcmp(pdf_to_name(pdf_dict_gets(node, "Type")), "Page") != 0)
+		fz_throw(ctx, FZ_ERROR_GENERIC, "invalid page object");
+
 	parent2 = parent = pdf_dict_gets(node, "Parent");
 	fz_var(parent);
 	fz_try(ctx)
 	{
-		while (parent)
+		while (pdf_is_dict(parent))
 		{
 			if (pdf_mark_obj(parent))
 				fz_throw(ctx, FZ_ERROR_GENERIC, "cycle in page tree (parents)");
-- 
cgit v1.2.3