From 153060a0c5e92acfda7982dfa62543ef67973cc8 Mon Sep 17 00:00:00 2001 From: Dean Scarff Date: Thu, 2 Jul 2020 13:56:09 +1000 Subject: Check integer overflow in resolveObjectsInStream Fixes a crash found by fuzzing. --- libqpdf/QPDF.cc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'libqpdf') diff --git a/libqpdf/QPDF.cc b/libqpdf/QPDF.cc index 1611b68e..5aa2d98c 100644 --- a/libqpdf/QPDF.cc +++ b/libqpdf/QPDF.cc @@ -2151,8 +2151,8 @@ QPDF::resolveObjectsInStream(int obj_stream_number) } int num = QUtil::string_to_int(tnum.getValue().c_str()); - int offset = QUtil::string_to_int(toffset.getValue().c_str()); - offsets[num] = offset + first; + long long offset = QUtil::string_to_int(toffset.getValue().c_str()); + offsets[num] = QIntC::to_int(offset + first); } // To avoid having to read the object stream multiple times, store -- cgit v1.2.3-54-g00ecf