commit dd3c8e62ac41add9bad416af8b71cc5db02de029
from: Sven M. Hallberg <pesco@khjk.org>
date: Thu Mar 30 13:40:42 2023 UTC

bounds-check /Prev pointers

Mirrors the check for startxref. I considered unifying the two into one
test at the start of the loop, but then we would lose the information
whether we got the offset from startxref or a /Prev.

commit - aa40560780b0cbea24d03b68570f3aac3b352da5
commit + dd3c8e62ac41add9bad416af8b71cc5db02de029
blob - 14e4a1da670fc0f1db89b2baf1e3047482adba13
blob + 4e159a39308ae3a089a6319e3e6227172b84d5a8
--- pdf.c
+++ pdf.c
@@ -5023,6 +5023,7 @@ parse_xrefs(const uint8_t *input, size_t sz, size_t *n
 		 * is a "linearized" PDF. in that case there should be exactly
 		 * one xref section at the beginning of the file that is
 		 * allowed to point forward.
+		 * also, the new offset should not point outside the file.
 		 */
 		if ((uint64_t)tok->sint >= offset)
 			nfwd++;
@@ -5032,6 +5033,12 @@ parse_xrefs(const uint8_t *input, size_t sz, size_t *n
 			    offset);
 			break;
 		}
+		if ((uint64_t)tok->sint >= sz) {
+			log_message(5, "%s: /Prev pointer of xref section at "
+			    "%zu (%#zx) points outside the file\n", infile,
+			    offset, offset);
+			break;
+		}
 
 		offset = (size_t)tok->sint;
 	}