From 2a1611030030e18010a0ab1d69eda0359eb5f585 Mon Sep 17 00:00:00 2001
From: Sebastian Rasmussen <sebras@gmail.com>
Date: Wed, 13 Dec 2017 21:14:19 +0100
Subject: Validate that /Size in trailer is in range.

---
 source/pdf/pdf-xref.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'source')

diff --git a/source/pdf/pdf-xref.c b/source/pdf/pdf-xref.c
index f2ba5a5d..392adf33 100644
--- a/source/pdf/pdf-xref.c
+++ b/source/pdf/pdf-xref.c
@@ -748,8 +748,8 @@ pdf_xref_size_from_old_trailer(fz_context *ctx, pdf_document *doc, pdf_lexbuf *b
 		trailer = pdf_parse_dict(ctx, doc, doc->file, buf);
 
 		size = pdf_to_int(ctx, pdf_dict_get(ctx, trailer, PDF_NAME_Size));
-		if (!size)
-			fz_throw(ctx, FZ_ERROR_GENERIC, "trailer missing Size entry");
+		if (size < 0 || size > PDF_MAX_OBJECT_NUMBER + 1)
+			fz_throw(ctx, FZ_ERROR_GENERIC, "trailer Size entry out of range");
 	}
 	fz_always(ctx)
 	{
-- 
cgit v1.2.3