From f8055b14e31968709c9ffafaf31a9a4f41a17a7b Mon Sep 17 00:00:00 2001
From: Pompolic <pompolic@special-circumstanc.es>
Date: Wed, 15 Dec 2021 17:24:11 +0100
Subject: [PATCH] Add check for null object in xref subsection

---
 pdf.c | 25 ++++++++++++++++++++++---
 1 file changed, 22 insertions(+), 3 deletions(-)

diff --git a/pdf.c b/pdf.c
index 618e4e9..8aa66d4 100644
--- a/pdf.c
+++ b/pdf.c
@@ -1031,9 +1031,9 @@ act_xrstment(const HParseResult *p, void *u)
 		break;
 	/* Unknown type of XR entry in stream. We parse it as the null object according to ISO32000-2 7.5.8.3 */
 	default:
-		null_token = h_arena_malloc(p->arena, 5);
-		memcpy(null_token, "null", 5);
-		return H_MAKE_BYTES(null_token, 5);
+		null_token = h_arena_malloc(p->arena, 4);
+		memcpy(null_token, "null", 4);
+		return H_MAKE_BYTES(null_token, 4);
 	}
 
 	return H_MAKE(XREntry, xr);
@@ -2749,6 +2749,21 @@ init_parser(struct Env *aux)
 }
 
 
+// XXX: are there other places beside xrefs we might find a null object?
+
+/*
+ * Check whether the HParsedToken passed as parameter corresponds to the null object.
+ */
+
+int
+check_null_object(const HParsedToken *token)
+{
+	if (token->token_type == TT_BYTES && !strncmp((const char*) token->bytes.token, "null", 4))
+		return 0;
+	else
+		return 1;
+}
+
 /*
  * lookup and resolution of indirect references
  */
@@ -2769,6 +2784,10 @@ lookup_xref(struct Env *aux, size_t nr, size_t gen)
 			base = H_INDEX_UINT(ss, 0, 0);
 			n = H_INDEX_UINT(ss, 0, 1);
 
+			if( nr >= base && nr - base < n && check_null_object(ss->seq->elements[1]->seq->elements[nr-base]))
+				/* xref type was invalid during parsing */
+				return NULL;
+
 			if (nr >= base && nr - base < n)
 				return H_INDEX(XREntry, ss, 1, nr - base);
 			// TODO: Generate a more meaningful error message -- p_viol, error ontology category
-- 
GitLab