From f919270b6a732ff45c3ba2d0c105e2b39e9c9bc9 Mon Sep 17 00:00:00 2001
From: Sebastian Rasmussen <sebras@gmail.com>
Date: Sat, 4 Aug 2012 14:11:20 +0200
Subject: Handle invalid obj/gen numbers when repairing pdfs

Out of range object numbers cause the repaired object to be
ignored. Out of range generation numbers are clamped to the
permitted range.
---
 pdf/pdf_repair.c | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)

diff --git a/pdf/pdf_repair.c b/pdf/pdf_repair.c
index 0874c2f8..df8d81f9 100644
--- a/pdf/pdf_repair.c
+++ b/pdf/pdf_repair.c
@@ -3,6 +3,9 @@
 
 /* Scan file for objects and reconstruct xref table */
 
+/* Define in PDF 1.7 to be 8388607, but mupdf is more lenient. */
+#define MAX_OBJECT_NUMBER (10 << 20)
+
 struct entry
 {
 	int num;
@@ -170,6 +173,16 @@ pdf_repair_obj_stm(pdf_document *xref, int num, int gen)
 				fz_throw(ctx, "corrupt object stream (%d %d R)", num, gen);
 
 			n = buf.i;
+			if (n < 0)
+			{
+				fz_warn(ctx, "ignoring object with invalid object number (%d %d R)", n, i);
+				continue;
+			}
+			else if (n > MAX_OBJECT_NUMBER)
+			{
+				fz_warn(ctx, "ignoring object with invalid object number (%d %d R)", n, i);
+				continue;
+			}
 			if (n >= xref->len)
 				pdf_resize_xref(xref, n + 1);
 
@@ -299,6 +312,19 @@ pdf_repair_xref(pdf_document *xref, pdf_lexbuf *buf)
 					break;
 				}
 
+				if (num < 0)
+				{
+					fz_warn(ctx, "ignoring object with invalid object number (%d %d R)", num, gen);
+					continue;
+				}
+				else if (num > MAX_OBJECT_NUMBER)
+				{
+					fz_warn(ctx, "ignoring object with invalid object number (%d %d R)", num, gen);
+					continue;
+				}
+
+				gen = fz_clampi(gen, 0, 65535);
+
 				if (listlen + 1 == listcap)
 				{
 					listcap = (listcap * 3) / 2;
-- 
cgit v1.2.3