From ac5e6de2e8692803b1c85cb79dd7c5497baf5f2e Mon Sep 17 00:00:00 2001
From: Jay Berkenbilt <ejb@ql.org>
Date: Tue, 27 Aug 2019 10:16:18 -0400
Subject: [PATCH] Fix fuzz issue 15387 (overflow checking xref size)

---
 fuzz/qpdf_extra/15387.fuzz        | 2 ++
 libqpdf/QPDF.cc                   | 6 +++---
 qpdf/qtest/qpdf/bad12-recover.out | 2 +-
 qpdf/qtest/qpdf/bad12.out         | 2 +-
 qpdf/qtest/qpdf/issue-51.out      | 2 +-
 5 files changed, 8 insertions(+), 6 deletions(-)
 create mode 100644 fuzz/qpdf_extra/15387.fuzz

diff --git a/fuzz/qpdf_extra/15387.fuzz b/fuzz/qpdf_extra/15387.fuzz
new file mode 100644
index 00000000..d6c57a14
--- /dev/null
+++ b/fuzz/qpdf_extra/15387.fuzz
@@ -0,0 +1,2 @@
+  xref 2147483647 1 1 5 fstartxref 2
+trailer<</Size 0>>
\ No newline at end of file
diff --git a/libqpdf/QPDF.cc b/libqpdf/QPDF.cc
index fd661ba0..28af689a 100644
--- a/libqpdf/QPDF.cc
+++ b/libqpdf/QPDF.cc
@@ -672,14 +672,14 @@ QPDF::read_xref(qpdf_offset_t xref_offset)
     {
 	max_obj = std::max(max_obj, *(this->m->deleted_objects.rbegin()));
     }
-    if (size != max_obj + 1)
+    if (size - 1 != max_obj)
     {
 	QTC::TC("qpdf", "QPDF xref size mismatch");
 	warn(QPDFExc(qpdf_e_damaged_pdf, this->m->file->getName(), "", 0,
 		     std::string("reported number of objects (") +
 		     QUtil::int_to_string(size) +
-		     ") inconsistent with actual number of objects (" +
-		     QUtil::int_to_string(max_obj + 1) + ")"));
+		     ") is not one plus the highest object number (" +
+		     QUtil::int_to_string(max_obj) + ")"));
     }
 
     // We no longer need the deleted_objects table, so go ahead and
diff --git a/qpdf/qtest/qpdf/bad12-recover.out b/qpdf/qtest/qpdf/bad12-recover.out
index 0c07a7fd..503b957d 100644
--- a/qpdf/qtest/qpdf/bad12-recover.out
+++ b/qpdf/qtest/qpdf/bad12-recover.out
@@ -1,4 +1,4 @@
-WARNING: bad12.pdf: reported number of objects (9) inconsistent with actual number of objects (8)
+WARNING: bad12.pdf: reported number of objects (9) is not one plus the highest object number (7)
 /QTest is implicit
 /QTest is direct and has type null (2)
 /QTest is null
diff --git a/qpdf/qtest/qpdf/bad12.out b/qpdf/qtest/qpdf/bad12.out
index 666e92fd..9f4e4188 100644
--- a/qpdf/qtest/qpdf/bad12.out
+++ b/qpdf/qtest/qpdf/bad12.out
@@ -1,4 +1,4 @@
-WARNING: bad12.pdf: reported number of objects (9) inconsistent with actual number of objects (8)
+WARNING: bad12.pdf: reported number of objects (9) is not one plus the highest object number (7)
 /QTest is implicit
 /QTest is direct and has type null (2)
 /QTest is null
diff --git a/qpdf/qtest/qpdf/issue-51.out b/qpdf/qtest/qpdf/issue-51.out
index 7c16e23a..518ab7cf 100644
--- a/qpdf/qtest/qpdf/issue-51.out
+++ b/qpdf/qtest/qpdf/issue-51.out
@@ -1,5 +1,5 @@
 WARNING: issue-51.pdf: can't find PDF header
-WARNING: issue-51.pdf: reported number of objects (0) inconsistent with actual number of objects (9)
+WARNING: issue-51.pdf: reported number of objects (0) is not one plus the highest object number (8)
 WARNING: issue-51.pdf (object 7 0, offset 553): expected endobj
 WARNING: issue-51.pdf (object 1 0, offset 359): expected endobj
 WARNING: issue-51.pdf (offset 70): loop detected resolving object 2 0