From aef099047d641a420423e9fea91c1c5e0d9199f0 Mon Sep 17 00:00:00 2001
From: m-holger <m.holger@qpdf.org>
Date: Sat, 22 Nov 2025 20:48:52 +0000
Subject: [PATCH] Enhance validation of xref entries for deleted objects.

---
 fuzz/CMakeLists.txt                   | 1 +
 fuzz/qpdf_extra/4797504999981056.fuzz | 2 ++
 fuzz/qtest/fuzz.test                  | 2 +-
 libqpdf/QPDF_objects.cc               | 4 ++--
 4 files changed, 6 insertions(+), 3 deletions(-)
 create mode 100644 fuzz/qpdf_extra/4797504999981056.fuzz

diff --git a/fuzz/CMakeLists.txt b/fuzz/CMakeLists.txt
index 04d90ea..9c95ec6 100644
--- a/fuzz/CMakeLists.txt
+++ b/fuzz/CMakeLists.txt
@@ -162,6 +162,7 @@ set(CORPUS_OTHER
   440599107.fuzz
   440747125.fuzz
   4720043549327360.fuzz
+  4797504999981056.fuzz
   4876793183272960.fuzz
   5109284021272576.fuzz
   5344352869351424.fuzz
diff --git a/fuzz/qpdf_extra/4797504999981056.fuzz b/fuzz/qpdf_extra/4797504999981056.fuzz
new file mode 100644
index 0000000..8e740ab
--- /dev/null
+++ b/fuzz/qpdf_extra/4797504999981056.fuzz
@@ -0,0 +1,2 @@
+  xref 2147483647 1 1 5 fstartxref 2
+trailer<</Size 1>>
\ No newline at end of file
diff --git a/fuzz/qtest/fuzz.test b/fuzz/qtest/fuzz.test
index 8925369..7004c6b 100644
--- a/fuzz/qtest/fuzz.test
+++ b/fuzz/qtest/fuzz.test
@@ -11,7 +11,7 @@ my $td = new TestDriver('fuzz');
 
 my $qpdf_corpus = $ENV{'QPDF_FUZZ_CORPUS'} || die "must set QPDF_FUZZ_CORPUS";
 
-my $n_qpdf_files = 106;       # increment when adding new files
+my $n_qpdf_files = 107;       # increment when adding new files
 
 my @fuzzers = (
     ['ascii85' => 1],
diff --git a/libqpdf/QPDF_objects.cc b/libqpdf/QPDF_objects.cc
index 800a182..48de898 100644
--- a/libqpdf/QPDF_objects.cc
+++ b/libqpdf/QPDF_objects.cc
@@ -533,7 +533,7 @@ Objects::read_xref(qpdf_offset_t xref_offset, bool in_stream_recovery)
         max_obj = std::max(max_obj, *(m->deleted_objects.rbegin()));
     }
     if (size < 1 || (size - 1) != max_obj) {
-        if (size  == (max_obj + 2) && qpdf.getObject(max_obj +1, 0).isStreamOfType("/XRef")) {
+        if (size == (max_obj + 2) && qpdf.getObject(max_obj + 1, 0).isStreamOfType("/XRef")) {
             warn(damagedPDF(
                 "",
                 -1,
@@ -1132,7 +1132,7 @@ Objects::insertXrefEntry(int obj, int f0, qpdf_offset_t f1, int f2)
 void
 Objects::insertFreeXrefEntry(QPDFObjGen og)
 {
-    if (!m->xref_table.contains(og)) {
+    if (!m->xref_table.contains(og) && og.getObj() <= m->xref_table_max_id) {
         m->deleted_objects.insert(og.getObj());
     }
 }
--
libgit2 0.21.4