Merge pull request #1126 from m-holger/fuzz65777

Fix incorrect handling of invalid negative object ids

fuzz/CMakeLists.txt

@@ -111,6 +111,8 @@ set(CORPUS_OTHER
   37740.fuzz
   57639.fuzz
   65681.fuzz
+  65773.fuzz
+  65777.fuzz
 )
 
 set(CORPUS_DIR ${CMAKE_CURRENT_BINARY_DIR}/qpdf_corpus)

fuzz/qpdf_extra/65773.fuzz

@@ -0,0 +1 @@
+trailer<</Root<<[-2147483648 7 R 8 4 R]>>>>

fuzz/qtest/fuzz.test

@@ -20,7 +20,7 @@ my @fuzzers = (
     ['pngpredictor' => 1],
     ['runlength' => 6],
     ['tiffpredictor' => 1],
-    ['qpdf' => 54],             # increment when adding new files
+    ['qpdf' => 56],             # increment when adding new files
     );
 
 my $n_tests = 0;

libqpdf/QPDF.cc

@@ -709,10 +709,11 @@ QPDF::read_xref(qpdf_offset_t xref_offset)
 
     // Make sure we keep only the highest generation for any object.
     QPDFObjGen last_og{-1, 0};
-    for (auto const& og: m->xref_table) {
-        if (og.first.getObj() == last_og.getObj())
+    for (auto const& item: m->xref_table) {
+        auto id = item.first.getObj();
+        if (id == last_og.getObj() && id > 0)
             removeObject(last_og);
-        last_og = og.first;
+        last_og = item.first;
     }
 }
 
@@ -2405,7 +2406,7 @@ QPDF::getCompressibleObjGens()
     while (!queue.empty()) {
         auto obj = queue.back();
         queue.pop_back();
-        if (obj.isIndirect()) {
+        if (obj.getObjectID() > 0) {
             QPDFObjGen og = obj.getObjGen();
             const size_t id = toS(og.getObj() - 1);
             if (id >= max_obj)