From ed43691bf3e1da1cefb7a4618cb809684040dd65 Mon Sep 17 00:00:00 2001
From: m-holger <m-holger@kubitscheck.org>
Date: Wed, 17 Jan 2024 13:15:13 +0000
Subject: [PATCH] Tighten checks for invalid indirect references in QPDFParser

---
 libqpdf/QPDFParser.cc | 11 +++++------
 qpdf/qpdf.testcov     |  2 +-
 qpdf/test_driver.cc   |  4 ++++
 3 files changed, 10 insertions(+), 7 deletions(-)

diff --git a/libqpdf/QPDFParser.cc b/libqpdf/QPDFParser.cc
index 32c4f8e..2551cf9 100644
--- a/libqpdf/QPDFParser.cc
+++ b/libqpdf/QPDFParser.cc
@@ -163,16 +163,15 @@ QPDFParser::parseRemainder(bool content_stream)
                     throw std::logic_error("QPDFParser::parse called without context on an object "
                                            "with indirect references");
                 }
-                auto ref_og = QPDFObjGen(
-                    QIntC::to_int(int_buffer[(int_count - 1) % 2]),
-                    QIntC::to_int(int_buffer[(int_count) % 2]));
-                if (ref_og.isIndirect()) {
+                auto id = QIntC::to_int(int_buffer[(int_count - 1) % 2]);
+                auto gen = QIntC::to_int(int_buffer[(int_count) % 2]);
+                if (!(id < 1 || gen < 0 || gen >= 65535)) {
                     // This action has the desirable side effect of causing dangling references
                     // (references to indirect objects that don't appear in the PDF) in any parsed
                     // object to appear in the object cache.
-                    add(std::move(context->getObject(ref_og).obj));
+                    add(std::move(context->getObject(id, gen).obj));
                 } else {
-                    QTC::TC("qpdf", "QPDFParser indirect with 0 objid");
+                    QTC::TC("qpdf", "QPDFParser invalid objgen");
                     addNull();
                 }
                 int_count = 0;
diff --git a/qpdf/qpdf.testcov b/qpdf/qpdf.testcov
index 6d0f8a4..e7b6a8a 100644
--- a/qpdf/qpdf.testcov
+++ b/qpdf/qpdf.testcov
@@ -256,7 +256,7 @@ QPDFWriter standard deterministic ID 1
 QPDFWriter linearized deterministic ID 1
 QPDFWriter deterministic with no data 0
 qpdf-c called qpdf_set_deterministic_ID 0
-QPDFParser indirect with 0 objid 0
+QPDFParser invalid objgen 0
 QPDF object id 0 0
 QPDF recursion loop in resolve 0
 QPDFParser treat word as string 0
diff --git a/qpdf/test_driver.cc b/qpdf/test_driver.cc
index 472a96a..28d8062 100644
--- a/qpdf/test_driver.cc
+++ b/qpdf/test_driver.cc
@@ -1202,6 +1202,10 @@ test_31(QPDF& pdf, char const* arg2)
     assert(QPDFObjectHandle::parse(&pdf, ">>").unparse() == "null");
     // TC:QPDFParser eof in parse
     assert(QPDFObjectHandle::parse(&pdf, "[7 0 R]").getArrayItem(0).isNull());
+    // TC:QPDFParser invalid objgen
+    assert(
+        QPDFObjectHandle::parse(&pdf, "[0 0 R -1 0 R 1 65535 R 1 100000 R 1 -1 R]").unparse() ==
+        "[ null null null null null ]");
 }
 
 static void
--
libgit2 0.21.4