Blob Blame Raw
commit d6ea8acbb348fdb43601a963ba5407e933565003
Author: Adrian Johnson <ajohnson@redneon.com>
Date:   Mon Nov 3 19:11:25 2014 +0100

    fix crash in Xref::getEntry
    
    Bug 85234

diff --git a/poppler/XRef.cc b/poppler/XRef.cc
index 2560e3d..333f5ec 100644
--- a/poppler/XRef.cc
+++ b/poppler/XRef.cc
@@ -1568,7 +1568,7 @@ GBool XRef::parseEntry(Goffset offset, XRefEntry *entry)
 void XRef::readXRefUntil(int untilEntryNum, std::vector<int> *xrefStreamObjsNum)
 {
   std::vector<Goffset> followedPrev;
-  while (prevXRefOffset && (untilEntryNum == -1 || entries[untilEntryNum].type == xrefEntryNone)) {
+  while (prevXRefOffset && (untilEntryNum == -1 || (untilEntryNum < size && entries[untilEntryNum].type == xrefEntryNone))) {
     bool followed = false;
     for (size_t j = 0; j < followedPrev.size(); j++) {
       if (followedPrev.at(j) == prevXRefOffset) {
@@ -1606,7 +1606,7 @@ void XRef::readXRefUntil(int untilEntryNum, std::vector<int> *xrefStreamObjsNum)
 
 XRefEntry *XRef::getEntry(int i, GBool complainIfMissing)
 {
-  if (entries[i].type == xrefEntryNone) {
+  if (i >= size || entries[i].type == xrefEntryNone) {
 
     if ((!xRefStream) && mainXRefEntriesOffset) {
       if (!parseEntry(mainXRefEntriesOffset + 20*i, &entries[i])) {