LibPDF: Fix loop condition in parse_xref_stream()

We previously compared two unrelated values to determine if we parsed
the xref table to completion. We now check if we added every subsection
instead, and double check to make sure we never read past the end.

1 files changed, 5 insertions, 4 deletions

diff --git a/Userland/Libraries/LibPDF/DocumentParser.cpp b/Userland/Libraries/LibPDF/DocumentParser.cpp
index 3c7598be0b..3b40fd1eb4 100644
--- a/Userland/Libraries/LibPDF/DocumentParser.cpp
+++ b/Userland/Libraries/LibPDF/DocumentParser.cpp
@@ -328,10 +328,14 @@ PDFErrorOr<NonnullRefPtr<XRefTable>> DocumentParser::parse_xref_stream()
 
     Vector<XRefEntry> entries;
 
-    for (int entry_index = 0; entry_index < highest_object_number; ++entry_index) {
+    for (int entry_index = 0; subsection_index < subsections.size(); ++entry_index) {
         Array<long, 3> fields;
         for (size_t field_index = 0; field_index < 3; ++field_index) {
             auto field_size = field_sizes->at(field_index).get_u32();
+
+            if (byte_index + field_size > stream->bytes().size())
+                return error("The xref stream data cut off early");
+
             auto field = stream->bytes().slice(byte_index, field_size);
             fields[field_index] = field_to_long(field);
             byte_index += field_size;
@@ -343,9 +347,6 @@ PDFErrorOr<NonnullRefPtr<XRefTable>> DocumentParser::parse_xref_stream()
 
         entries.append({ fields[1], static_cast<u16>(fields[2]), type != 0, type == 2 });
 
-        if (subsection_index >= subsections.size())
-            break;
-
         auto subsection = subsections[subsection_index];
         if (entry_index >= subsection.get<1>()) {
             table->add_section({ subsection.get<0>(), subsection.get<1>(), entries });