From bb83e65193684b5a7521fa77ffb87ad82e49564c Mon Sep 17 00:00:00 2001
From: Jay Berkenbilt <ejb@ql.org>
Date: Tue, 17 Sep 2019 19:48:27 -0400
Subject: [PATCH] Fix fuzz issue 16953 (overflow checking in xref stream index)

---
 fuzz/qpdf_extra/16953.fuzz |  1 +
 libqpdf/QPDF.cc            | 12 +++++++++++-
 2 files changed, 12 insertions(+), 1 deletion(-)
 create mode 100644 fuzz/qpdf_extra/16953.fuzz

diff --git a/fuzz/qpdf_extra/16953.fuzz b/fuzz/qpdf_extra/16953.fuzz
new file mode 100644
index 00000000..56d2295a
--- /dev/null
+++ b/fuzz/qpdf_extra/16953.fuzz
@@ -0,0 +1 @@
+                5 0 obj<</DecodeParms<</Columns 4/Predictor 12>>/Filter/Fl/Index[2147483641 13]/Size 0/Type/XRef/W[1 2 1]>>stream hÞbd`²D endstream startxref  6
\ No newline at end of file
diff --git a/libqpdf/QPDF.cc b/libqpdf/QPDF.cc
index 511081a8..a484fdc4 100644
--- a/libqpdf/QPDF.cc
+++ b/libqpdf/QPDF.cc
@@ -5,6 +5,7 @@
 #include <map>
 #include <algorithm>
 #include <limits>
+#include <sstream>
 #include <stdlib.h>
 #include <string.h>
 #include <memory.h>
@@ -1202,7 +1203,16 @@ QPDF::processXRefStream(qpdf_offset_t xref_offset, QPDFObjectHandle& xref_obj)
 	// based on /Index.  The generation number is 0 unless this is
 	// an uncompressed object record, in which case the generation
 	// number appears as the third field.
-	int obj = toI(indx.at(cur_chunk)) + chunk_count;
+	int obj = toI(indx.at(cur_chunk));
+        if ((std::numeric_limits<int>::max() - obj) < chunk_count)
+        {
+            std::ostringstream msg;
+            msg << "adding " << chunk_count << " to " << obj
+                << " while computing index in xref stream would cause"
+                << " an integer overflow";
+            throw std::range_error(msg.str());
+        }
+        obj += chunk_count;
 	++chunk_count;
 	if (chunk_count >= indx.at(cur_chunk + 1))
 	{