From bb83e65193684b5a7521fa77ffb87ad82e49564c Mon Sep 17 00:00:00 2001
From: Jay Berkenbilt <ejb@ql.org>
Date: Tue, 17 Sep 2019 19:48:27 -0400
Subject: Fix fuzz issue 16953 (overflow checking in xref stream index)

---
 libqpdf/QPDF.cc | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

(limited to 'libqpdf/QPDF.cc')

diff --git a/libqpdf/QPDF.cc b/libqpdf/QPDF.cc
index 511081a8..a484fdc4 100644
--- a/libqpdf/QPDF.cc
+++ b/libqpdf/QPDF.cc
@@ -5,6 +5,7 @@
 #include <map>
 #include <algorithm>
 #include <limits>
+#include <sstream>
 #include <stdlib.h>
 #include <string.h>
 #include <memory.h>
@@ -1202,7 +1203,16 @@ QPDF::processXRefStream(qpdf_offset_t xref_offset, QPDFObjectHandle& xref_obj)
 	// based on /Index.  The generation number is 0 unless this is
 	// an uncompressed object record, in which case the generation
 	// number appears as the third field.
-	int obj = toI(indx.at(cur_chunk)) + chunk_count;
+	int obj = toI(indx.at(cur_chunk));
+        if ((std::numeric_limits<int>::max() - obj) < chunk_count)
+        {
+            std::ostringstream msg;
+            msg << "adding " << chunk_count << " to " << obj
+                << " while computing index in xref stream would cause"
+                << " an integer overflow";
+            throw std::range_error(msg.str());
+        }
+        obj += chunk_count;
 	++chunk_count;
 	if (chunk_count >= indx.at(cur_chunk + 1))
 	{
-- 
cgit v1.2.3-54-g00ecf