Index: mupdf-1.12.0-source/source/pdf/pdf-stream.c =================================================================== --- mupdf-1.12.0-source.orig/source/pdf/pdf-stream.c +++ mupdf-1.12.0-source/source/pdf/pdf-stream.c @@ -303,14 +303,13 @@ pdf_open_raw_filter(fz_context *ctx, fz_ *orig_gen = 0; } - fz_var(chain); + chain = fz_keep_stream(ctx, chain); fz_try(ctx) { len = pdf_to_int(ctx, pdf_dict_get(ctx, stmobj, PDF_NAME_Length)); - /* don't close chain when we close this filter */ - chain2 = fz_keep_stream(ctx, chain); + chain2 = chain; chain = NULL; chain = fz_open_null(ctx, chain2, len, offset); Index: mupdf-1.12.0-source/source/pdf/pdf-xref.c =================================================================== --- mupdf-1.12.0-source.orig/source/pdf/pdf-xref.c +++ mupdf-1.12.0-source/source/pdf/pdf-xref.c @@ -1595,6 +1595,19 @@ pdf_load_obj_stm(fz_context *ctx, pdf_do { objstm = pdf_load_object(ctx, doc, num); + if (pdf_obj_marked(ctx, objstm)) + fz_throw(ctx, FZ_ERROR_GENERIC, "recursive object stream lookup"); + } + fz_catch(ctx) + { + pdf_drop_obj(ctx, objstm); + fz_rethrow(ctx); + } + + fz_try(ctx) + { + pdf_mark_obj(ctx, objstm); + count = pdf_to_int(ctx, pdf_dict_get(ctx, objstm, PDF_NAME_N)); first = pdf_to_int(ctx, pdf_dict_get(ctx, objstm, PDF_NAME_First)); @@ -1674,6 +1687,7 @@ pdf_load_obj_stm(fz_context *ctx, pdf_do fz_drop_stream(ctx, stm); fz_free(ctx, ofsbuf); fz_free(ctx, numbuf); + pdf_unmark_obj(ctx, objstm); pdf_drop_obj(ctx, objstm); } fz_catch(ctx)