From a985147b714a928646f1b5350bc1d7ae0866c615 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Simon=20B=C3=BCnzli?= <zeniko@gmail.com>
Date: Thu, 13 Feb 2014 22:27:03 +0100
Subject: Bug 695040: prevent integer overflow in
 pdf_xref_size_from_old_trailer

---
 source/pdf/pdf-xref.c | 2 ++
 1 file changed, 2 insertions(+)

(limited to 'source')

diff --git a/source/pdf/pdf-xref.c b/source/pdf/pdf-xref.c
index 9a3cfd37..1cf89de9 100644
--- a/source/pdf/pdf-xref.c
+++ b/source/pdf/pdf-xref.c
@@ -382,6 +382,8 @@ pdf_xref_size_from_old_trailer(pdf_document *doc, pdf_lexbuf *buf)
 		t = fz_tell(doc->file);
 		if (t < 0)
 			fz_throw(doc->ctx, FZ_ERROR_GENERIC, "cannot tell in file");
+		if (len > (INT_MAX - t) / 20)
+			fz_throw(doc->ctx, FZ_ERROR_GENERIC, "xref has too many entries");
 
 		fz_seek(doc->file, t + 20 * len, SEEK_SET);
 	}
-- 
cgit v1.2.3