From 8cd50e0e3e20166b91226caf49ed4eb42cd9778d Mon Sep 17 00:00:00 2001
From: m-holger <m-holger@kubitscheck.org>
Date: Tue, 21 May 2024 12:50:19 +0100
Subject: [PATCH] Fix QPDF::tableSize

Apply temporary fix to deal with fuzz case 68915.

(Error is an integer overflow which would immediately cause a runtime error
as a result of a call to QInitCQIntC::to_size.)
---
 libqpdf/QPDF.cc | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/libqpdf/QPDF.cc b/libqpdf/QPDF.cc
index ed32b386..84fed36c 100644
--- a/libqpdf/QPDF.cc
+++ b/libqpdf/QPDF.cc
@@ -2391,6 +2391,13 @@ QPDF::tableSize()
     // objects.
     auto max_xref = m->xref_table.size() ? m->xref_table.crbegin()->first.getObj() : 0;
     auto max_obj = m->obj_cache.size() ? m->obj_cache.crbegin()->first.getObj() : 0;
+    auto max_id = std::numeric_limits<int>::max() - 1;
+    if (max_obj >= max_id || max_xref >= max_id) {
+        // Temporary fix. Long-term solution is
+        // - QPDFObjGen to enforce objgens are valid and sensible
+        // - xref table and obj cache to protect against insertion of impossibly large obj ids
+        stopOnError("Impossibly large object id encountered.");
+    }
     if (max_obj < 1.1 * std::max(toI(m->obj_cache.size()), max_xref)) {
         return toS(++max_obj);
     }