mupdf/CVE-2018-6192.patch

From 5e411a99604ff6be5db9e273ee84737204113299 Mon Sep 17 00:00:00 2001
From: Sebastian Rasmussen <sebras@gmail.com>
Date: Tue, 30 Jan 2018 02:05:57 +0100
Subject: [PATCH] Bug 698916: Indirect object numbers must be in range.

---
 source/pdf/pdf-parse.c | 2 ++
 source/pdf/pdf-xref.c  | 4 ++--
 2 files changed, 4 insertions(+), 2 deletions(-)

Index: mupdf-1.12.0-source/source/pdf/pdf-parse.c
===================================================================
--- mupdf-1.12.0-source.orig/source/pdf/pdf-parse.c
+++ mupdf-1.12.0-source/source/pdf/pdf-parse.c
@@ -616,6 +616,8 @@ pdf_parse_ind_obj(fz_context *ctx, pdf_d
 		fz_throw(ctx, FZ_ERROR_SYNTAX, "expected object number");
 	}
 	num = buf->i;
+	if (num < 0 || num > PDF_MAX_OBJECT_NUMBER)
+		fz_throw(ctx, FZ_ERROR_SYNTAX, "object number out of range");
 
 	tok = pdf_lex(ctx, file, buf);
 	if (tok != PDF_TOK_INT)
Index: mupdf-1.12.0-source/source/pdf/pdf-xref.c
===================================================================
--- mupdf-1.12.0-source.orig/source/pdf/pdf-xref.c
+++ mupdf-1.12.0-source/source/pdf/pdf-xref.c
@@ -234,8 +234,8 @@ pdf_xref_entry *pdf_get_populating_xref_
 	}
 
 	/* Prevent accidental heap underflow */
-	if (num < 0)
-		fz_throw(ctx, FZ_ERROR_GENERIC, "object number must not be negative (%d)", num);
+	if (num < 0 || num > PDF_MAX_OBJECT_NUMBER)
+		fz_throw(ctx, FZ_ERROR_GENERIC, "object number out of range (%d)", num);
 
 	/* Return the pointer to the entry in the last section. */
 	xref = &doc->xref_sections[doc->num_xref_sections-1];