commit d6ea8acbb348fdb43601a963ba5407e933565003
Author: Adrian Johnson <ajohnson@redneon.com>
Date: Mon Nov 3 19:11:25 2014 +0100
fix crash in Xref::getEntry
Bug 85234
diff --git a/poppler/XRef.cc b/poppler/XRef.cc
index 2560e3d..333f5ec 100644
--- a/poppler/XRef.cc
+++ b/poppler/XRef.cc
@@ -1568,7 +1568,7 @@ GBool XRef::parseEntry(Goffset offset, XRefEntry *entry)
void XRef::readXRefUntil(int untilEntryNum, std::vector<int> *xrefStreamObjsNum)
{
std::vector<Goffset> followedPrev;
- while (prevXRefOffset && (untilEntryNum == -1 || entries[untilEntryNum].type == xrefEntryNone)) {
+ while (prevXRefOffset && (untilEntryNum == -1 || (untilEntryNum < size && entries[untilEntryNum].type == xrefEntryNone))) {
bool followed = false;
for (size_t j = 0; j < followedPrev.size(); j++) {
if (followedPrev.at(j) == prevXRefOffset) {
@@ -1606,7 +1606,7 @@ void XRef::readXRefUntil(int untilEntryNum, std::vector<int> *xrefStreamObjsNum)
XRefEntry *XRef::getEntry(int i, GBool complainIfMissing)
{
- if (entries[i].type == xrefEntryNone) {
+ if (i >= size || entries[i].type == xrefEntryNone) {
if ((!xRefStream) && mainXRefEntriesOffset) {
if (!parseEntry(mainXRefEntriesOffset + 20*i, &entries[i])) {