Fix incorrect handling of invalid negative object ids

Fix two errors introduced in #1110 and #1112. Since
#1110, encountering the invalid indirect reference #1110
-2147483648 n R produces an integer underflow which, if
 undetected, immediately trigger a logic error. Since
 #1112, object -1 0 R may be incorrectly identified as
 an earlier generation of itself and deleted,
 invalidating a live iterator.

1 files changed, 5 insertions, 4 deletions

diff --git a/libqpdf/QPDF.cc b/libqpdf/QPDF.cc
index 89d4a0a8..8cff3dfd 100644
--- a/libqpdf/QPDF.cc
+++ b/libqpdf/QPDF.cc
@@ -709,10 +709,11 @@ QPDF::read_xref(qpdf_offset_t xref_offset)
 
     // Make sure we keep only the highest generation for any object.
     QPDFObjGen last_og{-1, 0};
-    for (auto const& og: m->xref_table) {
-        if (og.first.getObj() == last_og.getObj())
+    for (auto const& item: m->xref_table) {
+        auto id = item.first.getObj();
+        if (id == last_og.getObj() && id > 0)
             removeObject(last_og);
-        last_og = og.first;
+        last_og = item.first;
     }
 }
 
@@ -2405,7 +2406,7 @@ QPDF::getCompressibleObjGens()
     while (!queue.empty()) {
         auto obj = queue.back();
         queue.pop_back();
-        if (obj.isIndirect()) {
+        if (obj.getObjectID() > 0) {
             QPDFObjGen og = obj.getObjGen();
             const size_t id = toS(og.getObj() - 1);
             if (id >= max_obj)