diff options
author | Dean Scarff <deanscarff@google.com> | 2020-07-02 05:56:09 +0200 |
---|---|---|
committer | Jay Berkenbilt <jberkenbilt@users.noreply.github.com> | 2020-10-17 02:09:24 +0200 |
commit | 153060a0c5e92acfda7982dfa62543ef67973cc8 (patch) | |
tree | 475850f335fe479a255d8818adbfa73c93797dc2 | |
parent | 9a3791c53b5c48516af5825302a5145397cb65e5 (diff) | |
download | qpdf-153060a0c5e92acfda7982dfa62543ef67973cc8.tar.zst |
Check integer overflow in resolveObjectsInStream
Fixes a crash found by fuzzing.
-rw-r--r-- | libqpdf/QPDF.cc | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/libqpdf/QPDF.cc b/libqpdf/QPDF.cc index 1611b68e..5aa2d98c 100644 --- a/libqpdf/QPDF.cc +++ b/libqpdf/QPDF.cc @@ -2151,8 +2151,8 @@ QPDF::resolveObjectsInStream(int obj_stream_number) } int num = QUtil::string_to_int(tnum.getValue().c_str()); - int offset = QUtil::string_to_int(toffset.getValue().c_str()); - offsets[num] = offset + first; + long long offset = QUtil::string_to_int(toffset.getValue().c_str()); + offsets[num] = QIntC::to_int(offset + first); } // To avoid having to read the object stream multiple times, store |