From bf2abc908971a802f16a0b7e1d8eba4aa52f376e Mon Sep 17 00:00:00 2001
From: "Sven M. Hallberg" <pesco@khjk.org>
Date: Tue, 28 Feb 2023 13:19:34 +0000
Subject: [PATCH] validate that xref entry types cannot overflow our type field

The grammar accepts uint64_t, but our field is an enum, i.e. int.
---
 pdf.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/pdf.c b/pdf.c
index 3c181c3..8841d3f 100644
--- a/pdf.c
+++ b/pdf.c
@@ -949,6 +949,12 @@ act_xrent(const HParseResult *p, void *u)
 	return H_MAKE(XREntry, xr);
 }
 
+bool
+validate_xrstment(HParseResult *p, void *u)
+{
+	return (H_FIELD_UINT(0) <= INT_MAX);
+}
+
 HParsedToken *
 act_xrstment(const HParseResult *p, void *u)
 {
@@ -4670,6 +4676,7 @@ p_xrefdata__m(HAllocator *mm__, const Dict *dict)
 	if (Wskip > 0)	// XXX h_skip does not work with CF, yet
 		return p_fail;
 	p_entry = h_sequence__m(mm__, p_field[0], p_field[1], p_field[2], NULL);
+	p_entry = h_attr_bool__m(mm__, p_entry, validate_xrstment, NULL);
 	p_entry = h_action__m(mm__, p_entry, act_xrstment, NULL);
 
 	/* Index (optional) - subsections [base count ...] */
-- 
GitLab