diff options
author | Jay Berkenbilt <ejb@ql.org> | 2019-08-27 16:16:18 +0200 |
---|---|---|
committer | Jay Berkenbilt <ejb@ql.org> | 2019-08-27 17:26:25 +0200 |
commit | ac5e6de2e8692803b1c85cb79dd7c5497baf5f2e (patch) | |
tree | c2c80f45438d3096191d1f9a3d63677f6ac78a39 /libqpdf | |
parent | 6bc4cc3d48dd2216c9415215967e46d429b7f6b1 (diff) | |
download | qpdf-ac5e6de2e8692803b1c85cb79dd7c5497baf5f2e.tar.zst |
Fix fuzz issue 15387 (overflow checking xref size)
Diffstat (limited to 'libqpdf')
-rw-r--r-- | libqpdf/QPDF.cc | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/libqpdf/QPDF.cc b/libqpdf/QPDF.cc index fd661ba0..28af689a 100644 --- a/libqpdf/QPDF.cc +++ b/libqpdf/QPDF.cc @@ -672,14 +672,14 @@ QPDF::read_xref(qpdf_offset_t xref_offset) { max_obj = std::max(max_obj, *(this->m->deleted_objects.rbegin())); } - if (size != max_obj + 1) + if (size - 1 != max_obj) { QTC::TC("qpdf", "QPDF xref size mismatch"); warn(QPDFExc(qpdf_e_damaged_pdf, this->m->file->getName(), "", 0, std::string("reported number of objects (") + QUtil::int_to_string(size) + - ") inconsistent with actual number of objects (" + - QUtil::int_to_string(max_obj + 1) + ")")); + ") is not one plus the highest object number (" + + QUtil::int_to_string(max_obj) + ")")); } // We no longer need the deleted_objects table, so go ahead and |