From 9a095c5c76cdc14379a65f0e50dcccea30d425aa Mon Sep 17 00:00:00 2001
From: Jay Berkenbilt <ejb@ql.org>
Date: Tue, 27 Aug 2019 10:20:14 -0400
Subject: Seek in two stages to avoid overflow

When seeing to a position based on a value read from the input, we are
prone to integer overflow (fuzz issue 15442). Seek in two stages to
move the overflow check into the input source code.
---
 libqpdf/QPDF.cc | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/libqpdf/QPDF.cc b/libqpdf/QPDF.cc
index 28af689a..f6d16e4d 100644
--- a/libqpdf/QPDF.cc
+++ b/libqpdf/QPDF.cc
@@ -1632,7 +1632,9 @@ QPDF::readObject(PointerHolder<InputSource> input,
                 }
 
                 length = toS(length_obj.getUIntValue());
-                input->seek(stream_offset + toO(length), SEEK_SET);
+                // Seek in two steps to avoid potential integer overflow
+                input->seek(stream_offset, SEEK_SET);
+                input->seek(toO(length), SEEK_CUR);
                 if (! (readToken(input) ==
                        QPDFTokenizer::Token(
                            QPDFTokenizer::tt_word, "endstream")))
-- 
cgit v1.2.3-54-g00ecf