Fix crash in 1255.pdf.SIGSEGV.56f.285

author: Thomas Freitag <Thomas.Freitag@kabelmail.de> 2012-09-09 23:08:49 +0200
committer: Albert Astals Cid <aacid@kde.org> 2012-09-09 23:08:49 +0200
commit: 86b89864396a1dcf027e5793e6ac75411977bcf9 (patch)
tree: 83ce709147321f8c015ea271945cec9157c662b4
parent: 96931732f343d2bbda9af9488b485da031866c3b (diff)
1 files changed, 6 insertions, 0 deletions
diff --git a/poppler/XRef.cc b/poppler/XRef.cc
index 35648073..9a0c9006 100644
--- a/poppler/XRef.cc
+++ b/poppler/XRef.cc
@@ -719,6 +719,10 @@ GBool XRef::readXRefStreamSection(Stream *xrefStr, int *w, int first, int n) {
       error(errSyntaxError, -1, "Invalid 'size' inside xref table");
       return gFalse;
     }
+    if (first + n > size) {
+      error(errSyntaxError, -1, "Invalid 'first' or 'n' inside xref table");
+      return gFalse;
+    }
   }
   for (i = first; i < first + n; ++i) {
     if (w[0] == 0) {
@@ -1085,6 +1089,8 @@ Object *XRef::fetch(int num, int gen, Object *obj, int recursion) {
 	objStr = NULL;
 	goto err;
       } else {
+	// XRef could be reconstructed in constructor of ObjectStream:
+	e = getEntry(num);
 	ObjectStreamKey *newkey = new ObjectStreamKey(e->offset);
 	ObjectStreamItem *newitem = new ObjectStreamItem(objStr);
 	objStrs->put(newkey, newitem);
author	Thomas Freitag <Thomas.Freitag@kabelmail.de>	2012-09-09 23:08:49 +0200
committer	Albert Astals Cid <aacid@kde.org>	2012-09-09 23:08:49 +0200
commit	86b89864396a1dcf027e5793e6ac75411977bcf9 (patch)
tree	83ce709147321f8c015ea271945cec9157c662b4
parent	96931732f343d2bbda9af9488b485da031866c3b (diff)