Security: better bounds checks for linearization data

The faulty code was only used during explicit checks of linearization
data.  Those checks are not part of normal reading or writing of PDF
files.

1 files changed, 14 insertions, 0 deletions

diff --git a/libqpdf/QPDF_linearization.cc b/libqpdf/QPDF_linearization.cc
index 2c4fefc0..dd09b1c0 100644
--- a/libqpdf/QPDF_linearization.cc
+++ b/libqpdf/QPDF_linearization.cc
@@ -295,11 +295,25 @@ QPDF::readLinearizationData()
     readHPageOffset(BitStream(h_buf, h_size));
 
     int HSi = HS.getIntValue();
+    if ((HSi < 0) || (HSi >= h_size))
+    {
+        throw QPDFExc(qpdf_e_damaged_pdf, this->file->getName(),
+                      "linearization hint table",
+                      this->file->getLastOffset(),
+                      "/S (shared object) offset is out of bounds");
+    }
     readHSharedObject(BitStream(h_buf + HSi, h_size - HSi));
 
     if (HO.isInteger())
     {
 	int HOi = HO.getIntValue();
+        if ((HOi < 0) || (HOi >= h_size))
+        {
+            throw QPDFExc(qpdf_e_damaged_pdf, this->file->getName(),
+                          "linearization hint table",
+                          this->file->getLastOffset(),
+                          "/O (outline) offset is out of bounds");
+        }
 	readHGeneric(BitStream(h_buf + HOi, h_size - HOi),
 		     this->outline_hints);
     }