From 39a251b1b3a3343400a08e2f03c5518a26624626 Mon Sep 17 00:00:00 2001

From: Adam Reichold <adam.reichold@t-online.de>

Date: Mon, 24 Dec 2018 15:40:38 +0100

Subject: [PATCH] Do not try to parse into unallocated XRef entry and return

 pointer to dummy entry instead. Closes #692 and oss-fuzz/12330

---

 poppler/XRef.cc | 27 +++++++++++++++++++++------

 1 file changed, 21 insertions(+), 6 deletions(-)

diff --git a/poppler/XRef.cc b/poppler/XRef.cc

index 0ec66944..d042d1f4 100644

--- a/poppler/XRef.cc

+++ b/poppler/XRef.cc

@@ -1548,11 +1548,31 @@ void XRef::readXRefUntil(int untilEntryNum, std::vector<int> *xrefStreamObjsNum)

   }

 }

+namespace {

+

+struct DummyXRefEntry : XRefEntry {

+  DummyXRefEntry() {

+    offset = 0;

+    gen = -1;

+    type = xrefEntryNone;

+    flags = 0;

+  }

+};

+

+DummyXRefEntry dummyXRefEntry;

+

+}

+

 XRefEntry *XRef::getEntry(int i, GBool complainIfMissing)

 {

   if (i >= size || entries[i].type == xrefEntryNone) {

     if ((!xRefStream) && mainXRefEntriesOffset) {

+      if (unlikely(i >= capacity)) {

+	error(errInternal, -1, "Request for out-of-bounds XRef entry [{0:d}]", i);

+	return &dummyXRefEntry;

+      }

+

       if (!parseEntry(mainXRefEntriesOffset + 20*i, &entries[i])) {

         error(errSyntaxError, -1, "Failed to parse XRef entry [{0:d}].", i);

       }

@@ -1563,12 +1583,7 @@ XRefEntry *XRef::getEntry(int i, bool complainIfMissing)

       // We might have reconstructed the xref

       // Check again i is in bounds

       if (unlikely(i >= size)) {

-        static XRefEntry dummy;

-        dummy.offset = 0;

-        dummy.gen = -1;

-        dummy.type = xrefEntryNone;

-        dummy.flags = 0;

-        return &dummy;

+	return &dummyXRefEntry;

       }

       if (entries[i].type == xrefEntryNone) {

-- 

2.20.1