From bf4b25b27ee61dcd57854e0fee1eae01a597cd10 Mon Sep 17 00:00:00 2001
From: m-holger <m.holger@qpdf.org>
Date: Wed, 21 May 2025 19:12:24 +0100
Subject: [PATCH] Fix startxref recovery

---
 libqpdf/QPDF_objects.cc | 7 +++++++
 1 file changed, 7 insertions(+), 0 deletions(-)

diff --git a/libqpdf/QPDF_objects.cc b/libqpdf/QPDF_objects.cc
index 9d02e67..308f9e8 100644
--- a/libqpdf/QPDF_objects.cc
+++ b/libqpdf/QPDF_objects.cc
@@ -256,10 +256,12 @@ QPDF::reconstruct_xref(QPDFExc& e, bool found_startxref)
 
     if (!found_startxref && !startxrefs.empty() && !found_objects.empty() &&
         startxrefs.back() > std::get<2>(found_objects.back())) {
+        auto xref_backup{m->xref_table};
         try {
             m->file->seek(startxrefs.back(), SEEK_SET);
             if (auto offset = QUtil::string_to_ll(readToken(*m->file).getValue().data())) {
                 read_xref(offset);
+
                 if (getRoot().getKey("/Pages").isDictionary()) {
                     QTC::TC("qpdf", "QPDF startxref more than 1024 before end");
                     warn(damagedPDF(
@@ -273,6 +275,7 @@ QPDF::reconstruct_xref(QPDFExc& e, bool found_startxref)
         } catch (...) {
             // ok, bad luck. Do recovery.
         }
+        m->xref_table = std::move(xref_backup);
     }
 
     auto rend = found_objects.rend();
@@ -1011,6 +1014,10 @@ QPDF::insertXrefEntry(int obj, int f0, qpdf_offset_t f1, int f2)
     // later xref table has registered this object.  Disregard this one.
     int new_gen = f0 == 2 ? 0 : f2;
 
+    if (!(f0 == 1 || f0 == 2)) {
+        return;
+    }
+
     if (!(obj > 0 && obj <= m->xref_table_max_id && 0 <= f2 && new_gen < 65535)) {
         // We are ignoring invalid objgens. Most will arrive here from xref reconstruction. There
         // is probably no point having another warning but we could count invalid items in order to
--
libgit2 0.21.4