From 95cf5b2cb3aa20b3203286e14b67064774270a4b Mon Sep 17 00:00:00 2001
From: Robin Watts <robin@peeves.(none)>
Date: Fri, 24 May 2013 07:28:50 -0700
Subject: Solve fuzzing SEGV due to negative object number in xref.

---
 pdf/pdf_xref.c | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'pdf')

diff --git a/pdf/pdf_xref.c b/pdf/pdf_xref.c
index 0be3740f..b3455773 100644
--- a/pdf/pdf_xref.c
+++ b/pdf/pdf_xref.c
@@ -230,6 +230,9 @@ pdf_read_old_xref(pdf_document *xref, pdf_lexbuf *buf)
 			fz_seek(xref->file, -(2 + (int)strlen(s)), 1);
 		}
 
+		if (ofs < 0)
+			fz_throw(xref->ctx, "out of range object num in xref: %d", ofs);
+
 		/* broken pdfs where size in trailer undershoots entries in xref sections */
 		if (ofs + len > xref->len)
 		{
-- 
cgit v1.2.3