From ac5e6de2e8692803b1c85cb79dd7c5497baf5f2e Mon Sep 17 00:00:00 2001
From: Jay Berkenbilt <ejb@ql.org>
Date: Tue, 27 Aug 2019 10:16:18 -0400
Subject: Fix fuzz issue 15387 (overflow checking xref size)

---
 libqpdf/QPDF.cc | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

(limited to 'libqpdf')

diff --git a/libqpdf/QPDF.cc b/libqpdf/QPDF.cc
index fd661ba0..28af689a 100644
--- a/libqpdf/QPDF.cc
+++ b/libqpdf/QPDF.cc
@@ -672,14 +672,14 @@ QPDF::read_xref(qpdf_offset_t xref_offset)
     {
 	max_obj = std::max(max_obj, *(this->m->deleted_objects.rbegin()));
     }
-    if (size != max_obj + 1)
+    if (size - 1 != max_obj)
     {
 	QTC::TC("qpdf", "QPDF xref size mismatch");
 	warn(QPDFExc(qpdf_e_damaged_pdf, this->m->file->getName(), "", 0,
 		     std::string("reported number of objects (") +
 		     QUtil::int_to_string(size) +
-		     ") inconsistent with actual number of objects (" +
-		     QUtil::int_to_string(max_obj + 1) + ")"));
+		     ") is not one plus the highest object number (" +
+		     QUtil::int_to_string(max_obj) + ")"));
     }
 
     // We no longer need the deleted_objects table, so go ahead and
-- 
cgit v1.2.3-54-g00ecf