Commit 153060a0c5e92acfda7982dfa62543ef67973cc8
Committed by
Jay Berkenbilt
Jay Berkenbilt
1 parent
9a3791c5
Check integer overflow in resolveObjectsInStream
Fixes a crash found by fuzzing.
Showing
1 changed file
with
2 additions
and
2 deletions
libqpdf/QPDF.cc
| @@ -2151,8 +2151,8 @@ QPDF::resolveObjectsInStream(int obj_stream_number) | @@ -2151,8 +2151,8 @@ QPDF::resolveObjectsInStream(int obj_stream_number) | ||
| 2151 | } | 2151 | } |
| 2152 | 2152 | ||
| 2153 | int num = QUtil::string_to_int(tnum.getValue().c_str()); | 2153 | int num = QUtil::string_to_int(tnum.getValue().c_str()); |
| 2154 | - int offset = QUtil::string_to_int(toffset.getValue().c_str()); | ||
| 2155 | - offsets[num] = offset + first; | 2154 | + long long offset = QUtil::string_to_int(toffset.getValue().c_str()); |
| 2155 | + offsets[num] = QIntC::to_int(offset + first); | ||
| 2156 | } | 2156 | } |
| 2157 | 2157 | ||
| 2158 | // To avoid having to read the object stream multiple times, store | 2158 | // To avoid having to read the object stream multiple times, store |