From 5c0c55d2c09b6a89731f85a9fa44065d1649452a Mon Sep 17 00:00:00 2001
From: Tim Ledbetter <timledbetter@gmail.com>
Date: Sat, 28 Oct 2023 09:03:09 +0100
Subject: [PATCH] LibPDF: Ensure xref stream field widths are within expected
 range

Previously, an xref stream with a field with larger than 8 would
result in an undefined shift occurring. We now ensure that each field
width is a number and is less than or equal to 8.
---
 Userland/Libraries/LibPDF/DocumentParser.cpp | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/Userland/Libraries/LibPDF/DocumentParser.cpp b/Userland/Libraries/LibPDF/DocumentParser.cpp
index 29b0dc05a8..ee13f0d7c5 100644
--- a/Userland/Libraries/LibPDF/DocumentParser.cpp
+++ b/Userland/Libraries/LibPDF/DocumentParser.cpp
@@ -430,7 +430,12 @@ PDFErrorOr<NonnullRefPtr<XRefTable>> DocumentParser::parse_xref_stream()
         for (int i = 0; i < count; i++) {
             Array<long, 3> fields;
             for (size_t field_index = 0; field_index < 3; ++field_index) {
+                if (!field_sizes->at(field_index).has_u32())
+                    return error("Malformed xref stream");
+
                 auto field_size = field_sizes->at(field_index).get_u32();
+                if (field_size > 8)
+                    return error("Malformed xref stream");
 
                 if (byte_index + field_size > stream->bytes().size())
                     return error("The xref stream data cut off early");