76f8c5
From 004e3c10df0abda214f0c293f9e269fdd979c5ee Mon Sep 17 00:00:00 2001
76f8c5
From: Albert Astals Cid <aacid@kde.org>
76f8c5
Date: Wed, 18 Jul 2018 20:31:27 +0200
76f8c5
Subject: Fix crash when Object has negative number
76f8c5
76f8c5
Spec says object number has to be > 0 and gen has to be >= 0
76f8c5
76f8c5
Reported by email
76f8c5
76f8c5
Modified by Marek Kasik for older release
76f8c5
76f8c5
diff --git a/poppler/Parser.cc b/poppler/Parser.cc
76f8c5
index 39c9a967..8b0093e3 100644
76f8c5
--- a/poppler/Parser.cc
76f8c5
+++ b/poppler/Parser.cc
76f8c5
@@ -154,9 +154,14 @@ Object Parser::getObj(GBool simpleOnly,
76f8c5
     num = buf1.getInt();
76f8c5
     shift();
76f8c5
     if (buf1.isInt() && buf2.isCmd("R")) {
76f8c5
+      const int gen = buf1.getInt();
76f8c5
-      obj->initRef(num, buf1.getInt());
76f8c5
+      obj->initRef(num, gen);
76f8c5
       shift();
76f8c5
       shift();
76f8c5
+
76f8c5
+      if (unlikely(num <= 0 || gen < 0)) {
76f8c5
+          obj->free();
76f8c5
+      }
76f8c5
     } else {
76f8c5
       obj->initInt(num);
76f8c5
     }