From 192525226fe4fd3664a8edb8ac9e7dbe7da401c9 Mon Sep 17 00:00:00 2001
From: m-holger <m.holger@qpdf.org>
Date: Sat, 28 Sep 2024 00:28:17 +0100
Subject: [PATCH] Validate that offsets in object streams are strictly increasing

---
 libqpdf/QPDF.cc | 10 ++++++++++
 1 file changed, 10 insertions(+), 0 deletions(-)

diff --git a/libqpdf/QPDF.cc b/libqpdf/QPDF.cc
index ce5038e..12b23a8 100644
--- a/libqpdf/QPDF.cc
+++ b/libqpdf/QPDF.cc
@@ -2064,6 +2064,7 @@ QPDF::resolveObjectsInStream(int obj_stream_number)
             (m->file->getName() + " object stream " + std::to_string(obj_stream_number)),
             bp.get()));
 
+    qpdf_offset_t last_offset = -1;
     for (int i = 0; i < n; ++i) {
         QPDFTokenizer::Token tnum = readToken(*input);
         QPDFTokenizer::Token toffset = readToken(*input);
@@ -2089,6 +2090,15 @@ QPDF::resolveObjectsInStream(int obj_stream_number)
                 "object stream claims to contain itself"));
             continue;
         }
+        if (offset <= last_offset) {
+            throw damagedPDF(
+                *input,
+                m->last_object_description,
+                input->getLastOffset(),
+                "expected offsets in object stream to be increasing");
+        }
+        last_offset = offset;
+
         offsets[num] = toI(offset + first);
     }
 
--
libgit2 0.21.4