From 482916cd8cfcd467782dcdd130b0a1768f5fce1b Mon Sep 17 00:00:00 2001
From: Sebastian Rasmussen <sebras@gmail.com>
Date: Wed, 2 Aug 2017 00:01:06 +0800
Subject: Bug 698279: Throw exception if xref object number offset too big.

---
 source/pdf/pdf-xref.c | 2 ++
 1 file changed, 2 insertions(+)

(limited to 'source/pdf')

diff --git a/source/pdf/pdf-xref.c b/source/pdf/pdf-xref.c
index 3ce2cb01..14b8b5bd 100644
--- a/source/pdf/pdf-xref.c
+++ b/source/pdf/pdf-xref.c
@@ -862,6 +862,8 @@ pdf_read_old_xref(fz_context *ctx, pdf_document *doc, pdf_lexbuf *buf)
 
 		if (ofs < 0)
 			fz_throw(ctx, FZ_ERROR_GENERIC, "out of range object num in xref: %d", (int)ofs);
+		if (ofs > FZ_OFF_MAX - len)
+			fz_throw(ctx, FZ_ERROR_GENERIC, "xref section object numbers too big");
 
 		/* broken pdfs where size in trailer undershoots entries in xref sections */
 		if (ofs + len > xref_len)
-- 
cgit v1.2.3