@@ -94,7 +94,7 @@ int cli_bytecode_context_setparam_int(struct cli_bc_ctx *ctx, unsigned i, uint64

 int cli_bytecode_context_setparam_ptr(struct cli_bc_ctx *ctx, unsigned i, void *data, unsigned datalen);

 int cli_bytecode_context_setfile(struct cli_bc_ctx *ctx, fmap_t *map);

 int cli_bytecode_context_setpe(struct cli_bc_ctx *ctx, const struct cli_pe_hook_data *data, const struct cli_exe_section *sections);

-int cli_bytecode_context_setpdf(struct cli_bc_ctx *ctx, unsigned phase, unsigned nobjs, struct pdf_obj *objs, uint32_t *pdf_flags, uint32_t pdfsize, uint32_t pdfstartoff);

+int cli_bytecode_context_setpdf(struct cli_bc_ctx *ctx, unsigned phase, unsigned nobjs, struct pdf_obj **objs, uint32_t *pdf_flags, uint32_t pdfsize, uint32_t pdfstartoff);

 int cli_bytecode_context_clear(struct cli_bc_ctx *ctx);

 /* returns file descriptor, sets tempfile. Caller takes ownership, and is

  * responsible for freeing/unlinking */

@@ -1427,7 +1427,7 @@ uint32_t cli_bcapi_check_platform(struct cli_bc_ctx *ctx , uint32_t a, uint32_t

 int cli_bytecode_context_setpdf(struct cli_bc_ctx *ctx, unsigned phase,

                                 unsigned nobjs,

-                                struct pdf_obj *objs, uint32_t *pdf_flags,

+                                struct pdf_obj **objs, uint32_t *pdf_flags,

                                 uint32_t pdfsize, uint32_t pdfstartoff)

 {

     ctx->pdf_nobjs = nobjs;

@@ -1470,7 +1470,7 @@ int32_t cli_bcapi_pdf_lookupobj(struct cli_bc_ctx *ctx , uint32_t objid)

     if (!ctx->pdf_phase)

         return -1;

     for (i=0;i<ctx->pdf_nobjs;i++) {

-        if (ctx->pdf_objs[i].id == objid)

+        if (ctx->pdf_objs[i]->id == objid)

             return i;

     }

     return -1;

@@ -1484,8 +1484,8 @@ uint32_t cli_bcapi_pdf_getobjsize(struct cli_bc_ctx *ctx , int32_t objidx)

        )

         return 0;

     if ((uint32_t)(objidx + 1) == ctx->pdf_nobjs)

-        return ctx->pdf_size - ctx->pdf_objs[objidx].start;

-    return ctx->pdf_objs[objidx+1].start - ctx->pdf_objs[objidx].start - 4;

+        return ctx->pdf_size - ctx->pdf_objs[objidx]->start;

+    return ctx->pdf_objs[objidx+1]->start - ctx->pdf_objs[objidx]->start - 4;

 }

 const uint8_t* cli_bcapi_pdf_getobj(struct cli_bc_ctx *ctx , int32_t objidx, uint32_t amount)

@@ -1493,7 +1493,7 @@ const uint8_t* cli_bcapi_pdf_getobj(struct cli_bc_ctx *ctx , int32_t objidx, uin

     uint32_t size = cli_bcapi_pdf_getobjsize(ctx, objidx);

     if (amount > size)

         return NULL;

-    return fmap_need_off(ctx->fmap, ctx->pdf_objs[objidx].start, amount);

+    return fmap_need_off(ctx->fmap, ctx->pdf_objs[objidx]->start, amount);

 }

 int32_t cli_bcapi_pdf_getobjid(struct cli_bc_ctx *ctx , int32_t objidx)

@@ -1501,7 +1501,7 @@ int32_t cli_bcapi_pdf_getobjid(struct cli_bc_ctx *ctx , int32_t objidx)

     if (!ctx->pdf_phase ||

         (uint32_t)objidx >= ctx->pdf_nobjs)

         return -1;

-    return ctx->pdf_objs[objidx].id;

+    return ctx->pdf_objs[objidx]->id;

 }

 int32_t cli_bcapi_pdf_getobjflags(struct cli_bc_ctx *ctx , int32_t objidx)

@@ -1509,7 +1509,7 @@ int32_t cli_bcapi_pdf_getobjflags(struct cli_bc_ctx *ctx , int32_t objidx)

     if (!ctx->pdf_phase ||

         (uint32_t)objidx >= ctx->pdf_nobjs)

         return -1;

-    return ctx->pdf_objs[objidx].flags;

+    return ctx->pdf_objs[objidx]->flags;

 }

 int32_t cli_bcapi_pdf_setobjflags(struct cli_bc_ctx *ctx , int32_t objidx, int32_t flags)

@@ -1518,9 +1518,9 @@ int32_t cli_bcapi_pdf_setobjflags(struct cli_bc_ctx *ctx , int32_t objidx, int32

         (uint32_t)objidx >= ctx->pdf_nobjs)

         return -1;

     cli_dbgmsg("cli_pdf: bytecode setobjflags %08x -> %08x\n",

-               ctx->pdf_objs[objidx].flags,

+               ctx->pdf_objs[objidx]->flags,

                flags);

-    ctx->pdf_objs[objidx].flags = flags;

+    ctx->pdf_objs[objidx]->flags = flags;

     return 0;

 }

@@ -1529,7 +1529,7 @@ int32_t cli_bcapi_pdf_get_offset(struct cli_bc_ctx *ctx , int32_t objidx)

     if (!ctx->pdf_phase ||

         (uint32_t)objidx >= ctx->pdf_nobjs)

         return -1;

-    return ctx->pdf_startoff + ctx->pdf_objs[objidx].start;

+    return ctx->pdf_startoff + ctx->pdf_objs[objidx]->start;

 }

 int32_t cli_bcapi_pdf_get_phase(struct cli_bc_ctx *ctx)

@@ -184,7 +184,7 @@ struct cli_bc_ctx {

     uint32_t lsigcnt[64];

     uint32_t lsigoff[64];

     uint32_t pdf_nobjs;

-    struct pdf_obj *pdf_objs;

+    struct pdf_obj **pdf_objs;

     uint32_t* pdf_flags;

     uint32_t pdf_size;

     uint32_t pdf_startoff;

@@ -73,7 +73,7 @@ extern "C"

 #define CL_COUNT_PRECISION 4096

 /* return codes */

-typedef enum {

+typedef enum cl_error_t {

     /* libclamav specific */

     CL_CLEAN = 0,

     CL_SUCCESS = 0,

@@ -119,6 +119,11 @@ static void XFA_cb(struct pdf_struct *pdf, struct pdf_obj *obj, struct pdfname_a

 #endif

 /* End PDF statistics callbacks and related */

+static int pdf_readint(const char *q0, int len, const char *key);

+static const char *pdf_getdict(const char *q0, int* len, const char *key);

+static char *pdf_readval(const char *q, int len, const char *key);

+static char *pdf_readstring(const char *q0, int len, const char *key, unsigned *slen, const char **qend, int noescape);

+

 static int xrefCheck(const char *xref, const char *eof)

 {

     const char *q;

@@ -156,6 +161,14 @@ static int xrefCheck(const char *xref, const char *eof)

 #define noisy_warnmsg(...)

 #endif

+/**

+ * @brief   Searching BACKwards, find the next character that is not a whitespace.

+ * 

+ * @param q         Index to start from (at the end of the search space)

+ * @param start     Beginning of the search space. 

+ * 

+ * @return const char*  Address of the final non-whitespace character OR the same address as the start.

+ */

 static const char *findNextNonWSBack(const char *q, const char *start)

 {

     while (q > start && (*q == 0 || *q == 9 || *q == 0xa || *q == 0xc || *q == 0xd || *q == 0x20))

@@ -164,15 +177,56 @@ static const char *findNextNonWSBack(const char *q, const char *start)

     return q;

 }

-static int find_stream_bounds(const char *start, off_t bytesleft, off_t bytesleft2, off_t *stream, off_t *endstream, int newline_hack)

+/**

+ * @brief   Searching FORwards, find the next character that is not a whitespace.

+ * 

+ * @param q         Index to start from (at the end of the search space)

+ * @param start     Beginning of the search space. 

+ * 

+ * @return const char*  Address of the final non-whitespace character OR the same address as the start.

+ */

+static const char *findNextNonWS(const char *q, const char *end)

+{

+    while (q < end && (*q == 0 || *q == 9 || *q == 0xa || *q == 0xc || *q == 0xd || *q == 0x20))

+        q++;

+

+    return q;

+}

+

+/**

+ * @brief   Find bounds of stream.

+ * 

+ * PDF streams are prefixed with "stream" and suffixed with "endstream".

+ * Return value indicates success or failure.

+ * 

+ * @param start             start address of search space.

+ * @param bytesleft         size of search space for "stream"

+ * @param bytesleft2        size of search space for "endstream"

+ * @param[out] stream       output param, address of start of stream data

+ * @param[out] endstream    output param, address of end of stream data

+ * @param newline_hack      hack to support newlines that are \r\n, and not just \n or just \r.

+ * 

+ * @return int  1 if stream bounds were found. 

+ * @return int  0 if stream bounds could not be found. 

+ */

+static int find_stream_bounds(

+    const char *start, 

+    off_t bytesleft, 

+    off_t bytesleft2, 

+    off_t *stream, 

+    off_t *endstream, 

+    int newline_hack)

 {

     const char *q2, *q;

+

+    /* Begin by finding the "stream" string that prefixes stream data. */

     if ((q2 = cli_memstr(start, bytesleft, "stream", 6))) {

         q2 += 6;

         bytesleft -= q2 - start;

         if (bytesleft < 0)

             return 0;

+        /* Skip any new line charcters. */

         if (bytesleft >= 2 && q2[0] == '\xd' && q2[1] == '\xa') {

             q2 += 2;

             if (newline_hack && (bytesleft > 2) && q2[0] == '\xa')

@@ -182,16 +236,23 @@ static int find_stream_bounds(const char *start, off_t bytesleft, off_t byteslef

         }

         *stream = q2 - start;

+

         bytesleft2 -= q2 - start;

         if (bytesleft2 <= 0)

             return 0;

+        /* Now find the "endstream" string that suffixes stream data */

         q = q2;

         q2 = cli_memstr(q, bytesleft2, "endstream", 9);

-        if (!q2)

+        if (!q2) {

+            /* Couldn't find "endstream", but that's ok --

+             * -- we'll just count the data we have until EOF. */

             q2 = q + bytesleft2-9; /* till EOF */

+        }

         *endstream = q2 - start;

+

+        /* Double-check that endstream >= stream */

         if (*endstream < *stream)

             *endstream = *stream;

@@ -202,61 +263,273 @@ static int find_stream_bounds(const char *start, off_t bytesleft, off_t byteslef

 }

 /**

- * @brief  Finds the next obj and adds it to our list of objects, and increments nobj.

- *

- * @param pdf   PDF structure

- * @return int  -1 if error

- * @return int  0 if no more objects

- * @return int  1 if success

- * @return int  2 if an invalid object was discovered, may be skipped.

+ * @brief Find the next *indirect* object in an object stream, adds it to our list of 

+ *        objects, and increments nobj.

+ * 

+ * Indirect objects in a stream DON'T begin with "obj" and end with "endobj".

+ * Instead, they have an obj ID and an offset from the first object to point you

+ * right at them.

+ * 

+ * If found, objstm->current will be updated to the next obj id.

+ * 

+ * All objects in an object stream are indirect and thus do not begin or start 

+ * with "obj" or "endobj".  Instead, the object stream takes the following 

+ * format.

+ * 

+ *      <dictionary describing stream> objstm content endobjstm

+ * 

+ * where content looks something like the following:

+ * 

+ *      15 0 16 3 17 46 (ab)<</IDS 8 0 R/JavaScript 27 0 R/URLS 9 0 R>><</Names[(Test)28 0 R]>>

+ * 

+ * In the above example, the literal string (ab) is indirect object # 15, and 

+ * begins at offset 0 of the set of objects.  The next object, # 16 begis at 

+ * offset 3 is a dictionary.  The final object is also a dictionary, beginning 

+ * at offset 46.

+ * 

+ * @param pdf   Pdf struct that keeps track of all information found in the PDF. 

+ * @param objstm

+ * 

+ * @return CL_SUCCESS  if success

+ * @return CL_EPARSE   if parsing error

+ * @return CL_EMEM     if error allocating memory

+ * @return CL_EARG     if invalid arguments

+ */

+int pdf_findobj_in_objstm(struct pdf_struct *pdf, struct objstm_struct *objstm, struct pdf_obj **obj_found)

+{

+    cl_error_t status = CL_EPARSE;

+    struct pdf_obj *obj = NULL;

+    unsigned long objid = 0, objsize = 0, objoff = 0;

+    const char *index = NULL;

+    size_t bytes_remaining = 0;

+

+    if (NULL == pdf || NULL == objstm) {

+        cli_warnmsg("pdf_findobj_in_objstm: invalid arguments\n");

+        return CL_EARG;

+    }

+

+    *obj_found = NULL;

+

+    index = objstm->streambuf + objstm->current_pair;

+    bytes_remaining = objstm->streambuf_len - objstm->current_pair;

+

+    obj = calloc(sizeof(struct pdf_obj), 1);

+    if (!obj) {

+        cli_warnmsg("pdf_findobj_in_objstm: out of memory finding objects in stream\n");

+        status = CL_EMEM;

+        goto done;

+    }

+

+    /* This object is in a stream, not in the regular map buffer. */

+    obj->objstm = objstm;

+

+    /* objstm->current_pair points directly to the obj id */

+    if (CL_SUCCESS != cli_strntoul_wrap(index, bytes_remaining, 0, 10, &objid)) {

+        /* Failed to find objid */

+        cli_dbgmsg("pdf_findobj_in_objstm: Failed to find objid for obj in object stream\n");

+        status = CL_EPARSE;

+        goto done;

+    }

+

+    /* Find the obj offset that appears just after the obj id*/

+    while ((index < objstm->streambuf + objstm->streambuf_len) && isdigit(*index)) {

+        index++;

+        bytes_remaining--;

+    }

+    index = findNextNonWS(index, objstm->streambuf + objstm->first);

+    bytes_remaining = objstm->streambuf + objstm->streambuf_len - index;

+

+    if (CL_SUCCESS != cli_strntoul_wrap(index, bytes_remaining, 0, 10, &objoff)) {

+        /* Failed to find obj offset */

+        cli_dbgmsg("pdf_findobj_in_objstm: Failed to find obj offset for obj in object stream\n");

+        status = CL_EPARSE;

+        goto done;

+    }

+

+    objstm->current = objstm->first + objoff;

+

+    obj->id = (objid << 8) | (0 & 0xff);

+    obj->start = objstm->current;

+    obj->flags = 0;

+

+    objstm->nobjs_found++;

+

+    while ((index < objstm->streambuf + objstm->streambuf_len) && isdigit(*index)) {

+        index++;

+        bytes_remaining--;

+    }

+    objstm->current_pair = (uint32_t)(findNextNonWS(index, objstm->streambuf + objstm->first) - objstm->streambuf);

+

+    /* Update current_pair, if there are more */

+    if ((objstm->nobjs_found < objstm->n) &&

+        (index < objstm->streambuf + objstm->streambuf_len))

+    {

+        unsigned long next_objid = 0, next_objoff = 0;

+

+        /* 

+         * While we're at it, 

+         *   lets record the size as running up to the next object offset.

+         * 

+         * To do so, we will need to parse the next obj pair.

+         */

+        /* objstm->current_pair points directly to the obj id */

+        index = objstm->streambuf + objstm->current_pair;

+        bytes_remaining = objstm->streambuf + objstm->streambuf_len - index;

+

+        if (CL_SUCCESS != cli_strntoul_wrap(index, bytes_remaining, 0, 10, &next_objid)) {

+            /* Failed to find objid for next obj */

+            cli_dbgmsg("pdf_findobj_in_objstm: Failed to find next objid for obj in object stream though there should be {%u} more.\n", objstm->n - objstm->nobjs_found);

+            status = CL_EPARSE;

+            goto done;

+        }

+

+        /* Find the obj offset that appears just after the obj id*/

+        while ((index < objstm->streambuf + objstm->streambuf_len) && isdigit(*index)) {

+            index++;

+            bytes_remaining--;

+        }

+        index = findNextNonWS(index, objstm->streambuf + objstm->first);

+        bytes_remaining = objstm->streambuf + objstm->streambuf_len - index;

+

+        if (CL_SUCCESS != cli_strntoul_wrap(index, bytes_remaining, 0, 10, &next_objoff)) {

+            /* Failed to find obj offset for next obj */

+            cli_dbgmsg("pdf_findobj_in_objstm: Failed to find next obj offset for obj in object stream though there should be {%u} more.\n", objstm->n - objstm->nobjs_found);

+            status = CL_EPARSE;

+            goto done;

+        }

+

+        obj->size = objstm->first + next_objoff - obj->start;

+    } 

+    else 

+    {

+        /*

+         * Should be no more objects. We should verify.

+         * 

+         * Either way...

+         *   obj->size should be the rest of the buffer. 

+         */

+        if (objstm->nobjs_found < objstm->n) {

+            cli_warnmsg("pdf_findobj_in_objstm: Fewer objects found in object stream than expected!\n");

+        }

+

+        obj->size = objstm->streambuf_len - obj->start;

+    }

+

+    /* Success! Add the object to the list of all objects found. */

+    pdf->nobjs++;

+    pdf->objs = cli_realloc2(pdf->objs, sizeof(struct pdf_obj*) * pdf->nobjs);

+    if (!pdf->objs) {

+        cli_warnmsg("pdf_findobj_in_objstm: out of memory finding objects in stream\n");

+        status = CL_EMEM;

+        goto done;

+    }

+    pdf->objs[pdf->nobjs-1] = obj;

+

+    *obj_found = obj;

+

+    status = CL_SUCCESS;

+

+done:

+    if (CL_SUCCESS != status) {

+        if (NULL != obj) {

+            free(obj);

+        }

+    }

+    return status;

+}

+

+/**

+ * @brief Find the next *indirect* object.

+ * 

+ * Indirect objects begin with "obj" and end with "endobj".

+ * Identify objects that contain streams.

+ * Identify truncated objects. 

+ * 

+ * If found, pdf->offset will be updated to just after the "endobj".

+ * If truncated, pdf->offset will == pdf->size.

+ * If not found, pdf->offset will not be updated.

+ * 

+ * @param pdf   Pdf context struct that keeps track of all information found in the PDF. 

+ * 

+ * @return CL_SUCCESS  if success

+ * @return CL_BREAK    if no more objects

+ * @return CL_EPARSE   if parsing error

+ * @return CL_EMEM     if error allocating memory

  */

-int pdf_findobj(struct pdf_struct *pdf)

+cl_error_t pdf_findobj(struct pdf_struct *pdf)

 {

+    cl_error_t status = CL_EPARSE;

     const char *start, *q, *q2, *q3, *eof;

-    struct pdf_obj *obj;

+    struct pdf_obj *obj = NULL;

     off_t bytesleft;

     unsigned long genid, objid;

     pdf->nobjs++;

-    pdf->objs = cli_realloc2(pdf->objs, sizeof(*pdf->objs)*pdf->nobjs);

+    pdf->objs = cli_realloc2(pdf->objs, sizeof(struct pdf_obj*) * pdf->nobjs);

     if (!pdf->objs) {

-        cli_warnmsg("cli_pdf: out of memory parsing objects (%u)\n", pdf->nobjs);

-        return -1;

+        status = CL_EMEM;

+        goto done;

+    }

+

+    obj = malloc(sizeof(struct pdf_obj));

+    if (!obj) {

+        status = CL_EMEM;

+        goto done;

     }

+    pdf->objs[pdf->nobjs-1] = obj;

-    obj = &pdf->objs[pdf->nobjs-1];

     memset(obj, 0, sizeof(*obj));

-    start = pdf->map+pdf->offset;

+

+    start = pdf->map + pdf->offset;

     bytesleft = pdf->size - pdf->offset;

-    while (bytesleft > 0) {

+

+    /* Indirect objects located outside of an object stream are prefaced with "obj"

+     * and suffixed with "endobj".  Find the "obj" preface. */

+    while (bytesleft > 0)

+    {

         q2 = cli_memstr(start, bytesleft, "obj", 3);

-        if (!q2)

-            return 0;/* no more objs */

+        if (!q2) {

+            status = CL_BREAK; /* no more objs */

+            goto done;

+        }

+        /* verify that "obj" has a whitespace before it, and is not the end of 

+         * a previous string like... "globj" */

         q2--;

         bytesleft -= q2 - start;

+

         if (*q2 != 0 && *q2 != 9 && *q2 != 0xa && *q2 != 0xc && *q2 != 0xd && *q2 != 0x20) {

+            /* This instance of the "obj" string appears to be part of another string.

+             * Skip it, and keep searching for an object. */

             start = q2+4;

             bytesleft -= 4;

             continue;

         }

-        break;

+        break; /* Found it. q2 should point to the whitespace before the "obj" string */

     }

-    if (bytesleft <= 0)

-        return 0;

+    if (bytesleft <= 0) {

+        status = CL_BREAK; /* No "obj" found. */

+        goto done;

+    }

+

+    /* "obj" found! */

+    /* Find the generation id (genid) that appears before the "obj" */

     q = findNextNonWSBack(q2-1, start);

     while (q > start && isdigit(*q))

         q--;

     if (CL_SUCCESS != cli_strntoul_wrap(q, (size_t)(bytesleft + (q2-q)), 0, 10, &genid)) {

-        cli_dbgmsg("cli_pdf: Failed to parse object genid (%u)\n", pdf->nobjs);

+        cli_dbgmsg("pdf_findobj: Failed to parse object genid (# objects found: %u)\n", pdf->nobjs);

         /* Failed to parse, probably not a real object.  Skip past the "obj" thing, and continue. */

         pdf->offset = q2 + 4 - pdf->map;

-        return 2;

+        status = CL_EPARSE;

+        goto done;

     }

+

+    /* Find the object id (objid) that appers before the genid */

     q = findNextNonWSBack(q-1,start);

     while (q > start && isdigit(*q))

         q--;

@@ -271,59 +544,82 @@ int pdf_findobj(struct pdf_struct *pdf)

             const char* lastfile = q - 4;

             if (0 != strncmp(lastfile, "\%\%EOF", 5)) {

                 /* Nope, wasn't %%EOF */

-                cli_dbgmsg("cli_pdf: Failed to parse object objid (%u)\n", pdf->nobjs);

+                cli_dbgmsg("pdf_findobj: Failed to parse object objid (# objects found: %u)\n", pdf->nobjs);

                 /* Skip past the "obj" thing, and continue. */

                 pdf->offset = q2 + 4 - pdf->map;

-                return 2;

+                status = CL_EPARSE;

+                goto done;

             }

             /* Yup, Looks, like the file continues after %%EOF.  

              * Probably another revision.  Keep parsing... */

             q++;

-            cli_dbgmsg("cli_pdf: \%\%EOF detected before end of file, at %zu\n", (size_t)q);

+            cli_dbgmsg("pdf_findobj: \%\%EOF detected before end of file, at %zu\n", (size_t)q);

         } else {

             /* Failed parsing at the very beginning */

-            cli_dbgmsg("cli_pdf: Failed to parse object objid (%u)\n", pdf->nobjs);

+            cli_dbgmsg("pdf_findobj: Failed to parse object objid (# objects found: %u)\n", pdf->nobjs);

             /* Probably not a real object.  Skip past the "obj" thing, and continue. */

             pdf->offset = q2 + 4 - pdf->map;

-            return 2;

+            status = CL_EPARSE;

+            goto done;

         }

         /* Try again, with offset slightly adjusted */

         if (CL_SUCCESS != cli_strntoul_wrap(q, (size_t)(bytesleft + (q2-q)), 0, 10, &objid)) {

-            cli_dbgmsg("cli_pdf: Failed to parse object objid (%u)\n", pdf->nobjs);

+            cli_dbgmsg("pdf_findobj: Failed to parse object objid (# objects found: %u)\n", pdf->nobjs);

             /* Still failed... Probably not a real object.  Skip past the "obj" thing, and continue. */

             pdf->offset = q2 + 4 - pdf->map;

-            return 2;

+            status = CL_EPARSE;

+            goto done;

         }

-        cli_dbgmsg("cli_pdf: There appears to be an additional revision. Continuing to parse...\n");

+        cli_dbgmsg("pdf_findobj: There appears to be an additional revision. Continuing to parse...\n");

     }

-    obj->id = (objid << 8) | (genid&0xff);

-    obj->start = q2+4 - pdf->map;

+

+    /*

+     * Ok so we have the objid, genid, and "obj" string.

+     *   Time to store that information and then ...

+     *     ... investigate what kind of object this is.

+     */

+    obj->id = (objid << 8) | (genid & 0xff);

+    obj->start = q2+4 - pdf->map; /* obj start begins just after the "obj" string */

     obj->flags = 0;

+

     bytesleft -= 4;

     eof = pdf->map + pdf->size;

     q = pdf->map + obj->start;

-    while (q < eof && bytesleft > 0) {

+    while (q < eof && bytesleft > 0)

+    {

         off_t p_stream, p_endstream;

         q2 = pdf_nextobject(q, bytesleft);

         if (!q2)

-            q2 = pdf->map + pdf->size;

+            q2 = pdf->map + pdf->size; /* No interesting objects found, fast-forward to eof */

         bytesleft -= q2 - q;

         if (find_stream_bounds(q-1, q2-q, bytesleft + (q2-q), &p_stream, &p_endstream, 1)) {

+            /*

+             * Found obj that contains a stream.

+             */

             obj->flags |= 1 << OBJ_STREAM;

             q2 = q-1 + p_endstream + 9;

             bytesleft -= q2 - q + 1;

             if (bytesleft < 0) {

+                /* ... and the stream is truncated.  Hmm... */

                 obj->flags |= 1 << OBJ_TRUNCATED;

                 pdf->offset = pdf->size;

-                return 1;/* truncated */

+

+                status = CL_SUCCESS;

+                goto done; /* Truncated file, no end to obj/stream. 

+                            * The next call to pdf_findobj() will return no more objects. */

             }

         } else if ((q3 = cli_memstr(q-1, q2-q+1, "endobj", 6))) {

+            /*

+             * obj found and offset positioned. ideal return case

+             */

             q2 = q3 + 6;

-            pdf->offset = q2 - pdf->map;

-            return 1; /* obj found and offset positioned */

+            pdf->offset = q2 - pdf->map; /* update the offset to just after the endobj */

+

+            status = CL_SUCCESS;

+            goto done; 

         } else {

             q2++;

             bytesleft--;

@@ -335,7 +631,32 @@ int pdf_findobj(struct pdf_struct *pdf)

     obj->flags |= 1 << OBJ_TRUNCATED;

     pdf->offset = pdf->size;

-    return 1;/* truncated */

+    status = CL_SUCCESS; /* truncated file, no end to obj. */

+

+done:

+    if (status == CL_SUCCESS) {

+        cli_dbgmsg("pdf_findobj: found %d %d obj @%lld\n", obj->id >> 8, obj->id&0xff, (long long)(obj->start + pdf->startoff));

+    }

+    else

+    {

+        if(status == CL_BREAK) {

+            cli_dbgmsg("pdf_findobj: No more objects (# objects found: %u)\n", pdf->nobjs);

+        } else if(status == CL_EMEM) {

+            cli_warnmsg("pdf_findobj: Error allocating memory (# objects found: %u)\n", pdf->nobjs);

+        } else {

+            cli_dbgmsg("pdf_findobj: Unexpected status code %d.\n", status);

+        }

+        /* Remove the unused obj reference from our list of objects found */

+        /* No need to realloc pdf->objs back down.  It won't leak. */

+        pdf->objs[pdf->nobjs-1] = NULL;

+        pdf->nobjs--;

+

+        /* Free up the obj struct. */

+        if (NULL != obj)

+            free(obj);

+    }

+

+    return status; 

 }

 static size_t filter_writen(struct pdf_struct *pdf, struct pdf_obj *obj, int fout, const char *buf, size_t len, size_t *sum)

@@ -424,7 +745,7 @@ void pdfobj_flag(struct pdf_struct *pdf, struct pdf_obj *obj, enum pdf_flag flag

         break;

     }

-    cli_dbgmsg("cli_pdf: %s flagged in object %u %u\n", s, obj->id>>8, obj->id&0xff);

+    cli_dbgmsg("pdfobj_flag: %s flagged in object %u %u\n", s, obj->id>>8, obj->id&0xff);

 }

 struct pdf_obj *find_obj(struct pdf_struct *pdf, struct pdf_obj *obj, uint32_t objid)

@@ -433,17 +754,20 @@ struct pdf_obj *find_obj(struct pdf_struct *pdf, struct pdf_obj *obj, uint32_t o

     uint32_t i;

     /* search starting at previous obj (if exists) */

-    i = (obj != pdf->objs) ? obj - pdf->objs : 0;

+    for (i = 0; i < pdf->nobjs; i++) {

+        if (pdf->objs[i] == obj)

+            break;

+    }

-    for (j=i;j<pdf->nobjs;j++) {

-        obj = &pdf->objs[j];

+    for (j = i; j < pdf->nobjs; j++) {

+        obj = pdf->objs[j];

         if (obj->id == objid)

             return obj;

     }

     /* restart search from beginning if not found */

-    for (j=0;j<i;j++) {

-        obj = &pdf->objs[j];

+    for (j = 0; j < i; j++) {

+        obj = pdf->objs[j];

         if (obj->id == objid)

             return obj;

     }

@@ -451,72 +775,173 @@ struct pdf_obj *find_obj(struct pdf_struct *pdf, struct pdf_obj *obj, uint32_t o

     return NULL;

 }

-static int find_length(struct pdf_struct *pdf, struct pdf_obj *obj, const char *start, off_t len)

+/**

+ * @brief   Find and interpret the "/Length" dictionary key value.

+ * 

+ * The value may be:

+ *  - a direct object (i.e. just a number) 

+ *  - an indirect object, where the value is somewhere else in the document and we have to look it up.

+ *    indirect objects are referenced using an object id (objid), generation id (genid) genid, and the letter 'R'.

+ * 

+ * Example dictionary with a single key "/Length" that relies direct object for the value.

+ * 

+ *      1 0 obj

+ *          << /Length 534

+ *              /Filter [ /ASCII85Decode /LZWDecode ]

+ *          >>

+ *          stream

+ *              J..)6T`?p&<!J9%_[umg"B7/Z7KNXbN'S+,*Q/&"OLT'FLIDK#!n`$"<Atdi`\Vn%b%)&'cA*VnK\CJY(sF>c!Jnl@

+ *              RM]WM;jjH6Gnc75idkL5]+cPZKEBPWdR>FF(kj1_R%W_d&/jS!;iuad7h?[L-F$+]]0A3Ck*$I0KZ?;<)CJtqi65Xb

+ *              Vc3\n5ua:Q/=0$W<#N3U;H,MQKqfg1?:lUpR;6oN[C2E4ZNr8Udn.'p+?#X+1>0Kuk$bCDF/(3fL5]Oq)^kJZ!C2H1

+ *              'TO]Rl?Q:&'<5&iP!$Rq;BXRecDN[IJB`,)o8XJOSJ9sDS]hQ;Rj@!ND)bD_q&C\g:inYC%)&u#:u,M6Bm%IY!Kb1+

+ *              ":aAa'S`ViJglLb8<W9k6Yl\\0McJQkDeLWdPN?9A'jX*al>iG1p&i;eVoK&juJHs9%;Xomop"5KatWRT"JQ#qYuL,

+ *              JD?M$0QP)lKn06l1apKDC@\qJ4B!!(5m+j.7F790m(Vj88l8Q:_CZ(Gm1%X\N1&u!FKHMB~>

+ *          endstream

+ *      endobj

+ * 

+ * Example dictionary with a single key "/Length" that relies on an indirect object for the value.

+ * 

+ *      7 0 obj

+ *          << /Length 8 0 R >> % An indirect reference to object 8, with generation id 0.

+ *          stream

+ *              BT

+ *                  /F1 12 Tf

+ *                   72 712 Td

+ *                  ( A stream with an indirect length ) Tj

+ *              ET

+ *          endstream

+ *      endobj

+ * 

+ *      8 0 obj

+ *          77 % The length of the preceding stream

+ *      endobj

+ * 

+ * @param pdf       Pdf context structure.

+ * @param obj       Pdf object context structure.

+ * @param start     Pointer start of the dictionary string.

+ * @param len       Remaining length of the dictioary string in bytes.

+ * @return size_t   Unsigned integer value of the "/Length" key

+ */

+static size_t find_length(struct pdf_struct *pdf, struct pdf_obj *obj, const char *dict_start, size_t dict_len)

 {

-    unsigned long length;

-    const char *q;

+    size_t length = 0;

+    const char *obj_start = dict_start;

+    size_t bytes_remaining = dict_len;

+    unsigned long length_ul = 0;

+    const char *index;

-    q = cli_memstr(start, len, "/Length", 7);

-    if (!q)

+    if (bytes_remaining < 8) {

         return 0;

+    }

-    q++;

-    len -= q - start;

-    start = pdf_nextobject(q, len);

-    if (!start)

+    /*

+     * Find the "/Length" dictionary key

+     */

+    index = cli_memstr(obj_start, bytes_remaining, "/Length", 7);

+    if (!index)

         return 0;

-    len -= start - q;

-    q = start;

-    if (CL_SUCCESS != cli_strntoul_wrap(q, (size_t)len, 0, 10, &length)) {

-        cli_dbgmsg("cli_pdf: failed to parse object length\n");

+    if (bytes_remaining < 1) {

         return 0;

     }

-    while (isdigit(*q) && len > 0) {

-        q++;

-        len--;

+    /* Step the index into the "/Length" string. */

+    index++;

+    bytes_remaining -= index - obj_start;

+

+    /* Find the start of the next direct or indirect object.

+     * pdf_nextobject() assumes we started searching from within a previous object */

+    obj_start = pdf_nextobject(index, bytes_remaining);

+    if (!obj_start)

+        return 0;

+

+    if (bytes_remaining < obj_start - index) {

+        return 0;

+    }

+    bytes_remaining -= obj_start - index;

+    index = obj_start;

+    

+    /* Read the value.  This could either be the direct length value,

+       or the object id of the indirect object that has the length */

+    if (CL_SUCCESS != cli_strntoul_wrap(index, bytes_remaining, 0, 10, &length_ul)) {

+        cli_dbgmsg("find_length: failed to parse object length\n");

+        return 0;

+    }

+    length = length_ul; /* length or maybe object id */

+

+    /* 

+     * Keep parsing, skipping past the first integer that might have been what we wanted. 

+     * If it's an indirect object, we'll find a Generation ID followed by the letter 'R' 

+     * I.e. something like " 0 R" 

+     */

+    while ((bytes_remaining > 0) && isdigit(*index)) {

+        index++;

+        bytes_remaining--;

     }

-    if (*q == ' ' && len > 0) {

+    if ((bytes_remaining > 0) && (*index == ' ')) {

         unsigned long genid;

-        q++;

-        len--;

-        if (CL_SUCCESS != cli_strntoul_wrap(q, (size_t)len, 0, 10, &genid)) {

-            cli_dbgmsg("cli_pdf: failed to parse object genid\n");

+

+        index++;

+        bytes_remaining--;

+

+        if (CL_SUCCESS != cli_strntoul_wrap(index, bytes_remaining, 0, 10, &genid)) {

+            cli_dbgmsg("find_length: failed to parse object genid\n");

             return 0;

         }

-        while(isdigit(*q) && len > 0) {

-            q++;

-            len--;

+        while((bytes_remaining > 0) && isdigit(*index)) {

+            index++;

+            bytes_remaining--;

+        }

+

+        if (bytes_remaining < 2) {

+            return 0;

         }

-        if (q[0] == ' ' && q[1] == 'R') {

-            cli_dbgmsg("cli_pdf: length is in indirect object %lu %lu\n", length, genid);

+        if (index[0] == ' ' && index[1] == 'R') {

+            /* 

+             * Ok so we found a genid and that 'R'.  Which means that first value 

+             * was actually the objid.

+             * We can look up the indirect object using this information.

+             */

+            unsigned long objid = length;

+            const char* indirect_obj_start = NULL;

+            

+            cli_dbgmsg("find_length: length is in indirect object %lu %lu\n", objid, genid);

             obj = find_obj(pdf, obj, (length << 8) | (genid&0xff));

             if (!obj) {

-                cli_dbgmsg("cli_pdf: indirect object not found\n");

+                cli_dbgmsg("find_length: indirect object not found\n");

                 return 0;

             }

-            q = pdf_nextobject(pdf->map+obj->start, pdf->size - obj->start);

-            if (!q) {

-                cli_dbgmsg("cli_pdf: next object not found\n");

+            indirect_obj_start = pdf->map + obj->start;

+            bytes_remaining = pdf->size - obj->start;

+            

+            /* Ok so we found the indirect object, lets read the value. */

+            index = pdf_nextobject(indirect_obj_start, bytes_remaining);

+            if (!index) {

+                cli_dbgmsg("find_length: next object not found\n");

                 return 0;

             }

+            

+            if (bytes_remaining < index - indirect_obj_start) {

+                return 0;

+            }

+            bytes_remaining -= index - indirect_obj_start;

-            if (CL_SUCCESS != cli_strntoul_wrap(q, (size_t)len, 0, 10, &length)) {

-                cli_dbgmsg("cli_pdf: failed to parse object length from indirect object\n");

+            /* Found the value, so lets parse it as an unsigned long */

+            if (CL_SUCCESS != cli_strntoul_wrap(index, bytes_remaining, 0, 10, &length)) {

+                cli_dbgmsg("find_length: failed to parse object length from indirect object\n");

                 return 0;

             }

         }

     }

     /* limit length */

-    if (start - pdf->map + length+5 > pdf->size)

-        length = pdf->size - (start - pdf->map)-5;

+    if (obj_start - pdf->map + length + 5 > pdf->size)

+        length = pdf->size - (obj_start - pdf->map) - 5;