From 9094fb1f8eed9f869d2bf90d99e7ab9ac913d76c Mon Sep 17 00:00:00 2001
From: Jay Berkenbilt <ejb@ql.org>
Date: Sun, 3 Nov 2019 18:54:39 -0500
Subject: [PATCH] Fix two additional fuzz test cases

---
 fuzz/qpdf_extra/18241.fuzz | Bin 0 -> 73 bytes
 fuzz/qpdf_extra/18247.fuzz | Bin 0 -> 569 bytes
 libqpdf/QPDF.cc            |   5 +++--
 3 files changed, 3 insertions(+), 2 deletions(-)
 create mode 100644 fuzz/qpdf_extra/18241.fuzz
 create mode 100644 fuzz/qpdf_extra/18247.fuzz

diff --git a/fuzz/qpdf_extra/18241.fuzz b/fuzz/qpdf_extra/18241.fuzz
new file mode 100644
index 0000000000000000000000000000000000000000..c18cfe6c6c4c0f5815170160170da6d9d1734036
GIT binary patch
literal 73
zcmZ=1XDBX7EGnreN=@Un;Ndak;W0B(Fi^--;3_Ff%*;tG;<B;P56aIk0ScO$8(1m?
bap?zVR;BXl8X20Hn^+i|nHt#H@x%fE!1)qP

literal 0
HcmV?d00001

diff --git a/fuzz/qpdf_extra/18247.fuzz b/fuzz/qpdf_extra/18247.fuzz
new file mode 100644
index 0000000000000000000000000000000000000000..3588139263bebf8635f2246773f6dc9d3c9c4357
GIT binary patch
literal 569
zcmZWm&ubGw6jmB6EDZJ}0TCY3c&jsSW->bqVWH{n(n7Ey3I;+ko9-mpl4i^9Dz&#<
zr2l{yulf&o@eioId+_c-@hsGX9y~aSZ7uq4@A3V3d|#~{L~D3ok=o}kA3hR?OJI-<
z_DG{aTj|uqd3t2JfUE`RD#qzHa79DVo~P*p;PjEbbIqu?39_dF(33m9Ps}u#tHA$5
zmR<GNBQU#JV%qU&zp#$iuPx@gr0v`!>28_jfZX?Kluk;M(`XWx<`0E#1-%9aA>Z(%
z@OTvBx)ja3u7~SkGjOpUB8L7Pfi6RdsD)HaDvt|v1uE?dCM-;AiLCB&bwx)u!+&&k
z=+-nbhrKm{_ICuFABGulVb>0Andzt;+fe3zKU*Y%w3B5e@cIJq(548=ruF>5&~C>J
z>Ej*(w>rLGl(~ubi8KB*7$+<J{-FPgtX5yoD(}V04{`kS=BhrKRf=23x0eTBXWb(>
zxpPXaQFid8`81s*mA7wZr%U9<z39bDSgKajjbEe2*}JoEwu5u+^EQey&dbBx42i>t
cQ>%sB5pgaWB96YSWs?=<MTJ*Li0YE|8!%Oz=l}o!

literal 0
HcmV?d00001

diff --git a/libqpdf/QPDF.cc b/libqpdf/QPDF.cc
index 864ac2d5..09de87e3 100644
--- a/libqpdf/QPDF.cc
+++ b/libqpdf/QPDF.cc
@@ -688,7 +688,7 @@ QPDF::read_xref(qpdf_offset_t xref_offset)
     {
 	max_obj = std::max(max_obj, *(this->m->deleted_objects.rbegin()));
     }
-    if (size - 1 != max_obj)
+    if ((size < 1) || (size - 1 != max_obj))
     {
 	QTC::TC("qpdf", "QPDF xref size mismatch");
 	warn(QPDFExc(qpdf_e_damaged_pdf, this->m->file->getName(), "", 0,
@@ -1206,7 +1206,8 @@ QPDF::processXRefStream(qpdf_offset_t xref_offset, QPDFObjectHandle& xref_obj)
 	// an uncompressed object record, in which case the generation
 	// number appears as the third field.
 	int obj = toI(indx.at(cur_chunk));
-        if ((std::numeric_limits<int>::max() - obj) < chunk_count)
+        if ((obj < 0) ||
+            ((std::numeric_limits<int>::max() - obj) < chunk_count))
         {
             std::ostringstream msg;
             msg << "adding " << chunk_count << " to " << obj