Check integer overflow in resolveObjectsInStream

Fixes a crash found by fuzzing.
author: Dean Scarff <deanscarff@google.com> 2020-07-02 05:56:09 +0200
committer: Jay Berkenbilt <jberkenbilt@users.noreply.github.com> 2020-10-17 02:09:24 +0200
commit: 153060a0c5e92acfda7982dfa62543ef67973cc8 (patch)
tree: 475850f335fe479a255d8818adbfa73c93797dc2 /libqpdf/QPDF.cc
parent: 9a3791c53b5c48516af5825302a5145397cb65e5 (diff)
download: qpdf-153060a0c5e92acfda7982dfa62543ef67973cc8.tar.zst
1 files changed, 2 insertions, 2 deletions
diff --git a/libqpdf/QPDF.cc b/libqpdf/QPDF.cc
index 1611b68e..5aa2d98c 100644
--- a/libqpdf/QPDF.cc
+++ b/libqpdf/QPDF.cc
@@ -2151,8 +2151,8 @@ QPDF::resolveObjectsInStream(int obj_stream_number)
 	}
 
 	int num = QUtil::string_to_int(tnum.getValue().c_str());
-	int offset = QUtil::string_to_int(toffset.getValue().c_str());
-	offsets[num] = offset + first;
+	long long offset = QUtil::string_to_int(toffset.getValue().c_str());
+	offsets[num] = QIntC::to_int(offset + first);
     }
 
     // To avoid having to read the object stream multiple times, store
author	Dean Scarff <deanscarff@google.com>	2020-07-02 05:56:09 +0200
committer	Jay Berkenbilt <jberkenbilt@users.noreply.github.com>	2020-10-17 02:09:24 +0200
commit	153060a0c5e92acfda7982dfa62543ef67973cc8 (patch)
tree	475850f335fe479a255d8818adbfa73c93797dc2 /libqpdf/QPDF.cc
parent	9a3791c53b5c48516af5825302a5145397cb65e5 (diff)
download	qpdf-153060a0c5e92acfda7982dfa62543ef67973cc8.tar.zst