@@ -134,14 +134,14 @@ static int xrefCheck(const char *xref, const char *eof)

     if (xref + 4 >= eof)

         return -1;

-    if (!memcmp(xref, "xref", 4)) {

+    if (!memcmp(xref, "xref", strlen("xref"))) {

         cli_dbgmsg("cli_pdf: found xref\n");

         return 0;

     }

     /* could be xref stream */

     for (q=xref; q+5 < eof; q++) {

-        if (!memcmp(q,"/XRef",4)) {

+        if (!memcmp(q,"/XRef", strlen("/XRef"))) {

             cli_dbgmsg("cli_pdf: found /XRef\n");

             return 0;

         }

@@ -163,10 +163,10 @@ static int xrefCheck(const char *xref, const char *eof)

 /**

  * @brief   Searching BACKwards, find the next character that is not a whitespace.

- * 

+ *

  * @param q         Index to start from (at the end of the search space)

- * @param start     Beginning of the search space. 

- * 

+ * @param start     Beginning of the search space.

+ *

  * @return const char*  Address of the final non-whitespace character OR the same address as the start.

  */

 static const char *findNextNonWSBack(const char *q, const char *start)

@@ -179,10 +179,10 @@ static const char *findNextNonWSBack(const char *q, const char *start)

 /**

  * @brief   Searching FORwards, find the next character that is not a whitespace.

- * 

+ *

  * @param q         Index to start from (at the end of the search space)

- * @param start     Beginning of the search space. 

- * 

+ * @param start     Beginning of the search space.

+ *

  * @return const char*  Address of the final non-whitespace character OR the same address as the start.

  */

 static const char *findNextNonWS(const char *q, const char *end)

@@ -195,100 +195,116 @@ static const char *findNextNonWS(const char *q, const char *end)

 /**

  * @brief   Find bounds of stream.

- * 

+ *

  * PDF streams are prefixed with "stream" and suffixed with "endstream".

  * Return value indicates success or failure.

- * 

+ *

  * @param start             start address of search space.

- * @param bytesleft         size of search space for "stream"

- * @param bytesleft2        size of search space for "endstream"

+ * @param size              size of search space

  * @param[out] stream       output param, address of start of stream data

- * @param[out] endstream    output param, address of end of stream data

+ * @param[out] stream_size  output param, size of stream data

  * @param newline_hack      hack to support newlines that are \r\n, and not just \n or just \r.

- * 

- * @return int  1 if stream bounds were found. 

- * @return int  0 if stream bounds could not be found. 

+ *

+ * @return cl_error_t       CL_SUCCESS if stream bounds were found.

+ * @return cl_error_t       CL_BREAK if stream bounds could not be found.

+ * @return cl_error_t       CL_EFORMAT if stream start was found, but not end. (truncated)

+ * @return cl_error_t       CL_EARG if invalid args were provided.

  */

-static int find_stream_bounds(

-    const char *start, 

-    off_t bytesleft, 

-    off_t bytesleft2, 

-    off_t *stream, 

-    off_t *endstream, 

+static cl_error_t find_stream_bounds(

+    const char *start,

+    size_t size,

+    const char **stream,

+    size_t *stream_size,

     int newline_hack)

 {

-    const char *q2, *q;

+    cl_error_t status = CL_BREAK;

+

+    const char *idx;

+    const char *stream_begin;

+    const char *endstream_begin;

+    size_t bytesleft = size;

+

+    if ((NULL == start) || (0 == bytesleft) || (NULL == stream) || (NULL == stream_size)) {

+        status = CL_EARG;

+        return status;

+    }

+

+    *stream = NULL;

+    *stream_size = 0;

     /* Begin by finding the "stream" string that prefixes stream data. */

-    if ((q2 = cli_memstr(start, bytesleft, "stream", 6))) {

-        q2 += 6;

-        bytesleft -= q2 - start;

+    if ((stream_begin = cli_memstr(start, bytesleft, "stream", strlen("stream")))) {

+        idx = stream_begin + strlen("stream");

+        bytesleft -= idx - start;

         if (bytesleft < 0)

-            return 0;

+            goto done;

         /* Skip any new line charcters. */

-        if (bytesleft >= 2 && q2[0] == '\xd' && q2[1] == '\xa') {

-            q2 += 2;

-            if (newline_hack && (bytesleft > 2) && q2[0] == '\xa')

-                q2++;

-        } else if (bytesleft && q2[0] == '\xa') {

-            q2++;

+        if (bytesleft >= 2 && idx[0] == '\xd' && idx[1] == '\xa') {

+            idx += 2;

+            if (newline_hack && (bytesleft > 2) && idx[0] == '\xa')

+                idx++;

+        } else if (bytesleft && idx[0] == '\xa') {

+            idx++;

         }

-        *stream = q2 - start;

+        /* Pass back start of the stream data. */

+        *stream = idx;

-        bytesleft2 -= q2 - start;

-        if (bytesleft2 <= 0)

-            return 0;

+        bytesleft = size - (idx - start);

+        if (bytesleft <= 0)

+            goto done;

-        /* Now find the "endstream" string that suffixes stream data */

-        q = q2;

-        q2 = cli_memstr(q, bytesleft2, "endstream", 9);

-        if (!q2) {

-            /* Couldn't find "endstream" */

-            return 0;

+        /* Now find the "endstream" string that suffixes stream data. */

+        endstream_begin = cli_memstr(idx, bytesleft, "endstream", strlen("endstream"));

+        if (!endstream_begin) {

+            /* Couldn't find "endstream", but that's ok --

+             * -- we'll just count the rest of the provided buffer. */

+            cli_dbgmsg("find_stream_bounds: Truncated stream found!\n");

+            endstream_begin = start + size;

+            status = CL_EFORMAT;

         }

-        *endstream = q2 - start;

-

-        /* Double-check that endstream >= stream */

-        if (*endstream < *stream)

-            *endstream = *stream;

+        /* Pass back end of the stream data, as offset from start. */

+        *stream_size = endstream_begin - *stream;

-        return 1;

+        if (CL_EFORMAT != status)

+            status = CL_SUCCESS;

     }

-    return 0;

+done:

+

+    return status;

 }

 /**

- * @brief Find the next *indirect* object in an object stream, adds it to our list of 

+ * @brief Find the next *indirect* object in an object stream, adds it to our list of

  *        objects, and increments nobj.

- * 

+ *

  * Indirect objects in a stream DON'T begin with "obj" and end with "endobj".

  * Instead, they have an obj ID and an offset from the first object to point you

  * right at them.

- * 

+ *

  * If found, objstm->current will be updated to the next obj id.

- * 

- * All objects in an object stream are indirect and thus do not begin or start 

- * with "obj" or "endobj".  Instead, the object stream takes the following 

+ *

+ * All objects in an object stream are indirect and thus do not begin or start

+ * with "obj" or "endobj".  Instead, the object stream takes the following

  * format.

- * 

+ *

  *      <dictionary describing stream> objstm content endobjstm

- * 

+ *

  * where content looks something like the following:

- * 

+ *

  *      15 0 16 3 17 46 (ab)<</IDS 8 0 R/JavaScript 27 0 R/URLS 9 0 R>><</Names[(Test)28 0 R]>>

- * 

- * In the above example, the literal string (ab) is indirect object # 15, and 

- * begins at offset 0 of the set of objects.  The next object, # 16 begis at 

- * offset 3 is a dictionary.  The final object is also a dictionary, beginning 

+ *

+ * In the above example, the literal string (ab) is indirect object # 15, and

+ * begins at offset 0 of the set of objects.  The next object, # 16 begis at

+ * offset 3 is a dictionary.  The final object is also a dictionary, beginning

  * at offset 46.

- * 

- * @param pdf   Pdf struct that keeps track of all information found in the PDF. 

+ *

+ * @param pdf   Pdf struct that keeps track of all information found in the PDF.

  * @param objstm

- * 

+ *

  * @return CL_SUCCESS  if success

  * @return CL_EPARSE   if parsing error

  * @return CL_EMEM     if error allocating memory

@@ -298,7 +314,7 @@ int pdf_findobj_in_objstm(struct pdf_struct *pdf, struct objstm_struct *objstm,

 {

     cl_error_t status = CL_EPARSE;

     struct pdf_obj *obj = NULL;

-    unsigned long objid = 0, objsize = 0, objoff = 0;

+    unsigned long objid = 0, objoff = 0;

     long temp_long         = 0;

     const char *index = NULL;

     size_t bytes_remaining = 0;

@@ -383,10 +399,10 @@ int pdf_findobj_in_objstm(struct pdf_struct *pdf, struct objstm_struct *objstm,

     {

         unsigned long next_objid = 0, next_objoff = 0;

-        /* 

-         * While we're at it, 

+        /*

+         * While we're at it,

          *   lets record the size as running up to the next object offset.

-         * 

+         *

          * To do so, we will need to parse the next obj pair.

          */

         /* objstm->current_pair points directly to the obj id */

@@ -439,14 +455,14 @@ int pdf_findobj_in_objstm(struct pdf_struct *pdf, struct objstm_struct *objstm,

         }

         obj->size = next_objoff - objoff;

-    } 

-    else 

+    }

+    else

     {

         /*

          * Should be no more objects. We should verify.

-         * 

+         *

          * Either way...

-         *   obj->size should be the rest of the buffer. 

+         *   obj->size should be the rest of the buffer.

          */

         if (objstm->nobjs_found < objstm->n) {

             cli_warnmsg("pdf_findobj_in_objstm: Fewer objects found in object stream than expected!\n");

@@ -480,17 +496,25 @@ done:

 /**

  * @brief Find the next *indirect* object.

- * 

- * Indirect objects begin with "obj" and end with "endobj".

- * Identify objects that contain streams.

- * Identify truncated objects. 

- * 

+ *

+ * Indirect objects located outside of an object stream are prefaced with:

+ *      <objid> <genid> obj

+ *

+ * Each of the above are separated by whitespace of some sort.

+ *

+ * Indirect objects are postfaced with:

+ *      endobj

+ *

+ * The specification does not say if whitespace is required before or after "endobj".

+ *

+ * Identify truncated objects.

+ *

  * If found, pdf->offset will be updated to just after the "endobj".

  * If truncated, pdf->offset will == pdf->size.

  * If not found, pdf->offset will not be updated.

- * 

- * @param pdf   Pdf context struct that keeps track of all information found in the PDF. 

- * 

+ *

+ * @param pdf   Pdf context struct that keeps track of all information found in the PDF.

+ *

  * @return CL_SUCCESS  if success

  * @return CL_BREAK    if no more objects

  * @return CL_EPARSE   if parsing error

@@ -499,9 +523,13 @@ done:

 cl_error_t pdf_findobj(struct pdf_struct *pdf)

 {

     cl_error_t status = CL_EPARSE;

-    const char *start, *q, *q2, *q3, *eof;

+    const char *start, *idx, *genid_search_index, *objid_search_index;

+

+    const char *obj_begin = NULL, *obj_end = NULL;

+    const char *endobj_begin = NULL, *endobj_end = NULL;

+

     struct pdf_obj *obj = NULL;

-    off_t bytesleft;

+    size_t bytesleft;

     unsigned long genid, objid;

     long temp_long;

@@ -524,101 +552,111 @@ cl_error_t pdf_findobj(struct pdf_struct *pdf)

     start = pdf->map + pdf->offset;

     bytesleft = pdf->size - pdf->offset;

-    /* Indirect objects located outside of an object stream are prefaced with "obj"

-     * and suffixed with "endobj".  Find the "obj" preface. */

-    while (bytesleft > 0)

-    {

-        q2 = cli_memstr(start, bytesleft, "obj", 3);

-        if (!q2) {

-            status = CL_BREAK; /* no more objs */

-            goto done;

+    /*

+     * Start by searching for "obj"

+     */

+    idx = start + 1;

+    while (bytesleft > 1 + strlen("obj")) {

+        /* `- 1` accounts for size of white space before obj */

+        idx = cli_memstr(idx, bytesleft - 1, "obj", strlen("obj"));

+        if (NULL == idx) {

+            status = CL_BREAK;

+            goto done; /* No more objs. */

         }

-        /* verify that "obj" has a whitespace before it, and is not the end of 

-         * a previous string like... "globj" */

-        q2--;

-        bytesleft -= q2 - start;

+        /* verify that the word has a whitespace before it, and is not the end of

+         * a previous word */

+        idx--;

+        bytesleft = (pdf->size - pdf->offset) - (size_t)(idx - start);

-        if (*q2 != 0 && *q2 != 9 && *q2 != 0xa && *q2 != 0xc && *q2 != 0xd && *q2 != 0x20) {

-            /* This instance of the "obj" string appears to be part of another string.

+        if (*idx != 0 && *idx != 9 && *idx != 0xa && *idx != 0xc && *idx != 0xd && *idx != 0x20) {

+            /* This instance of "obj" appears to be part of a longer string.

              * Skip it, and keep searching for an object. */

-            start = q2+4;

-            bytesleft -= 4;

+            idx += 1 + strlen("obj");

+            bytesleft -= 1 + strlen("obj");

             continue;

         }

-        break; /* Found it. q2 should point to the whitespace before the "obj" string */

-    }

+        /* Found the beginning of the word */

+        obj_begin = idx;

+        obj_end = idx + 1 + strlen("obj");

-    if (bytesleft <= 0) {

-        status = CL_BREAK; /* No "obj" found. */

-        goto done;

+        break;

     }

-    /* "obj" found! */

+    if ((NULL == obj_begin) || (NULL == obj_end)) {

+        status = CL_BREAK;

+        goto done; /* No more objs. */

+    }

     /* Find the generation id (genid) that appears before the "obj" */

-    q = findNextNonWSBack(q2-1, start);

-    while (q > start && isdigit(*q))

-        q--;

+    genid_search_index = findNextNonWSBack(obj_begin - 1, start);

+    while (genid_search_index > start && isdigit(*genid_search_index))

+        genid_search_index--;

-    if (CL_SUCCESS != cli_strntol_wrap(q, (size_t)(bytesleft + (q2 - q)), 0, 10, &temp_long)) {

+    if (CL_SUCCESS != cli_strntol_wrap(genid_search_index, (size_t)((obj_begin) - genid_search_index), 0, 10, &temp_long)) {

         cli_dbgmsg("pdf_findobj: Failed to parse object genid (# objects found: %u)\n", pdf->nobjs);

         /* Failed to parse, probably not a real object.  Skip past the "obj" thing, and continue. */

-        pdf->offset = q2 + 4 - pdf->map;

+        pdf->offset = obj_end - pdf->map;

         status = CL_EPARSE;

         goto done;

     } else if (temp_long < 0) {

         cli_dbgmsg("pdf_findobj: Encountered invalid negative obj genid (%ld).\n", temp_long);

-        pdf->offset = q2 + 4 - pdf->map;

+        pdf->offset = obj_end - pdf->map;

         status      = CL_EPARSE;

         goto done;

     }

     genid = (unsigned long)temp_long;

-    /* Find the object id (objid) that appers before the genid */

-    q = findNextNonWSBack(q-1,start);

-    while (q > start && isdigit(*q))

-        q--;

+    /* Find the object id (objid) that appears before the genid */

+    objid_search_index = findNextNonWSBack(genid_search_index - 1, start);

+    while (objid_search_index > start && isdigit(*objid_search_index))

+        objid_search_index--;

-    if (CL_SUCCESS != cli_strntol_wrap(q, (size_t)(bytesleft + (q2 - q)), 0, 10, &temp_long)) {

+    if (CL_SUCCESS != cli_strntol_wrap(objid_search_index, (size_t)((genid_search_index) - objid_search_index), 0, 10, &temp_long)) {

         /*

-         * PDFs with multiple revisions will have %%EOF before the end of the file, 

-         * followed by the next revision of the PDF.  If this is the case, we can 

-         * detect it and continue parsing after the %%EOF.

+         * Edge case:

+         *

+         * PDFs with multiple revisions will have %%EOF before the end of the file,

+         * followed by the next revision of the PDF, which will probably be an immediate objid.

+         *

+         * Example:

+         *   %%EOF1 1 obj <blah> endobj

+         *

+         * If this is the case, we can detect it and continue parsing after the %%EOF.

          */

-        if (q - 4 > start) {

-            const char* lastfile = q - 4;

+        if (objid_search_index - strlen("\%\%EO") > start) {

+            const char* lastfile = objid_search_index - strlen("\%\%EO");

             if (0 != strncmp(lastfile, "\%\%EOF", 5)) {

                 /* Nope, wasn't %%EOF */

                 cli_dbgmsg("pdf_findobj: Failed to parse object objid (# objects found: %u)\n", pdf->nobjs);

                 /* Skip past the "obj" thing, and continue. */

-                pdf->offset = q2 + 4 - pdf->map;

-                status = CL_EPARSE;

+                pdf->offset = obj_end - pdf->map;

+                status      = CL_EPARSE;

                 goto done;

             }

-            /* Yup, Looks, like the file continues after %%EOF.  

+            /* Yup, Looks, like the file continues after %%EOF.

              * Probably another revision.  Keep parsing... */

-            q++;

-            cli_dbgmsg("pdf_findobj: \%\%EOF detected before end of file, at %zu\n", (size_t)q);

+            objid_search_index++;

+            cli_dbgmsg("pdf_findobj: \%\%EOF detected before end of file, at offset: %zu\n", (size_t)(objid_search_index - pdf->map));

         } else {

             /* Failed parsing at the very beginning */

             cli_dbgmsg("pdf_findobj: Failed to parse object objid (# objects found: %u)\n", pdf->nobjs);

             /* Probably not a real object.  Skip past the "obj" thing, and continue. */

-            pdf->offset = q2 + 4 - pdf->map;

-            status = CL_EPARSE;

+            pdf->offset = obj_end - pdf->map;

+            status      = CL_EPARSE;

             goto done;

         }

         /* Try again, with offset slightly adjusted */

-        if (CL_SUCCESS != cli_strntol_wrap(q, (size_t)(bytesleft + (q2 - q)), 0, 10, &temp_long)) {

+        if (CL_SUCCESS != cli_strntol_wrap(objid_search_index, (size_t)((genid_search_index - 1) - objid_search_index), 0, 10, &temp_long)) {

             cli_dbgmsg("pdf_findobj: Failed to parse object objid (# objects found: %u)\n", pdf->nobjs);

             /* Still failed... Probably not a real object.  Skip past the "obj" thing, and continue. */

-            pdf->offset = q2 + 4 - pdf->map;

-            status = CL_EPARSE;

+            pdf->offset = obj_end - pdf->map;

+            status      = CL_EPARSE;

             goto done;

         } else if (temp_long < 0) {

             cli_dbgmsg("pdf_findobj: Encountered invalid negative objid (%ld).\n", temp_long);

-            pdf->offset = q2 + 4 - pdf->map;

+            pdf->offset = obj_end - pdf->map;

             status      = CL_EPARSE;

             goto done;

         }

@@ -626,85 +664,54 @@ cl_error_t pdf_findobj(struct pdf_struct *pdf)

         cli_dbgmsg("pdf_findobj: There appears to be an additional revision. Continuing to parse...\n");

     } else if (temp_long < 0) {

         cli_dbgmsg("pdf_findobj: Encountered invalid negative objid (%ld).\n", temp_long);

-        pdf->offset = q2 + 4 - pdf->map;

+        pdf->offset = obj_end - pdf->map;

         status      = CL_EPARSE;

         goto done;

     }

     objid = (unsigned long)temp_long;

-    /*

-     * Ok so we have the objid, genid, and "obj" string.

-     *   Time to store that information and then ...

-     *     ... investigate what kind of object this is.

-     */

     obj->id = (objid << 8) | (genid & 0xff);

-    obj->start = q2+4 - pdf->map; /* obj start begins just after the "obj" string */

+    obj->start = obj_end - pdf->map; /* obj start begins just after the "obj" string */

     obj->flags = 0;

-    bytesleft -= 4;

-    eof = pdf->map + pdf->size;

-    q = pdf->map + obj->start;

-

-    while (q < eof && bytesleft > 0)

-    {

-        off_t p_stream, p_endstream;

-        q2 = pdf_nextobject(q, bytesleft);

-        if (!q2)

-            q2 = pdf->map + pdf->size; /* No interesting objects found, fast-forward to eof */

-

-        bytesleft -= q2 - q;

-        if (find_stream_bounds(q-1, q2-q, bytesleft + (q2-q), &p_stream, &p_endstream, 1)) {

-            /*

-             * Found obj that contains a stream.

-             */

-            obj->flags |= 1 << OBJ_STREAM;

-            q2 = q-1 + p_endstream + 9;

-            bytesleft -= q2 - q + 1;

-

-            if (bytesleft < 0) {

-                /* ... and the stream is truncated.  Hmm... */

-                obj->flags |= 1 << OBJ_TRUNCATED;

-                pdf->offset = pdf->size;

-

-                status = CL_SUCCESS;

-                goto done; /* Truncated file, no end to obj/stream. 

-                            * The next call to pdf_findobj() will return no more objects. */

-            }

-        } else if ((q3 = cli_memstr(q-1, q2-q+1, "endobj", 6))) {

-            /*

-             * obj found and offset positioned. ideal return case

-             */

-            q2 = q3 + 6;

-            pdf->offset = q2 - pdf->map; /* update the offset to just after the endobj */

-

-            status = CL_SUCCESS;

-            goto done; 

-        } else {

-            q2++;

-            bytesleft--;

-        }

-

-        q = q2;

+    /*

+     * We now have the objid, genid, and object start.

+     * Find the object end ("endobj").

+     */

+    /* `- 1` accounts for size of white space before obj */

+    endobj_begin = cli_memstr(obj_end, pdf->map + pdf->size - obj_end, "endobj", strlen("endobj"));

+    if (NULL == endobj_begin) {

+        /* No end to object.

+         * PDF appears to be malformed or truncated.

+         * Will record the object size as going ot the end of the file.

+         * Will record that the object is truncated.

+         * Will position the pdf offset to the end of the PDF.

+         * The next iteration of this function will find no more objects. */

+        obj->flags |= 1 << OBJ_TRUNCATED;

+        obj->size   = (pdf->map + pdf->size) - obj_end;

+        pdf->offset = pdf->size;

+

+        /* Truncated "object" found! */

+        status = CL_SUCCESS;

+        goto done;

     }

+    endobj_end = endobj_begin + strlen("endobj");

-    obj->flags |= 1 << OBJ_TRUNCATED;

-    pdf->offset = pdf->size;

+    /* Size of the object goes from "obj" <-> "endobject". */

+    obj->size = endobj_begin - obj_end;

+    pdf->offset = endobj_end - pdf->map;

+    /*

+     * Object found!

+     */

     status = CL_SUCCESS; /* truncated file, no end to obj. */

 done:

     if (status == CL_SUCCESS) {

-        cli_dbgmsg("pdf_findobj: found %d %d obj @%lld\n", obj->id >> 8, obj->id&0xff, (long long)(obj->start + pdf->startoff));

+        cli_dbgmsg("pdf_findobj: found %d %d obj @%lld, size: %zu bytes.\n", obj->id >> 8, obj->id&0xff, (long long)(obj->start + pdf->startoff), obj->size);

     }

     else

     {

-        if(status == CL_BREAK) {

-            cli_dbgmsg("pdf_findobj: No more objects (# objects found: %u)\n", pdf->nobjs);

-        } else if(status == CL_EMEM) {

-            cli_warnmsg("pdf_findobj: Error allocating memory (# objects found: %u)\n", pdf->nobjs);

-        } else {

-            cli_dbgmsg("pdf_findobj: Unexpected status code %d.\n", status);

-        }

         /* Remove the unused obj reference from our list of objects found */

         /* No need to realloc pdf->objs back down.  It won't leak. */

         pdf->objs[pdf->nobjs-1] = NULL;

@@ -713,9 +720,17 @@ done:

         /* Free up the obj struct. */

         if (NULL != obj)

             free(obj);

+

+        if(status == CL_BREAK) {

+            cli_dbgmsg("pdf_findobj: No more objects (# objects found: %u)\n", pdf->nobjs);

+        } else if(status == CL_EMEM) {

+            cli_warnmsg("pdf_findobj: Error allocating memory (# objects found: %u)\n", pdf->nobjs);

+        } else {

+            cli_dbgmsg("pdf_findobj: Unexpected status code %d.\n", status);

+        }

     }

-    return status; 

+    return status;

 }

 static size_t filter_writen(struct pdf_struct *pdf, struct pdf_obj *obj, int fout, const char *buf, size_t len, size_t *sum)

@@ -836,14 +851,14 @@ struct pdf_obj *find_obj(struct pdf_struct *pdf, struct pdf_obj *obj, uint32_t o

 /**

  * @brief   Find and interpret the "/Length" dictionary key value.

- * 

+ *

  * The value may be:

- *  - a direct object (i.e. just a number) 

+ *  - a direct object (i.e. just a number)

  *  - an indirect object, where the value is somewhere else in the document and we have to look it up.

  *    indirect objects are referenced using an object id (objid), generation id (genid) genid, and the letter 'R'.

- * 

+ *

  * Example dictionary with a single key "/Length" that relies direct object for the value.

- * 

+ *

  *      1 0 obj

  *          << /Length 534

  *              /Filter [ /ASCII85Decode /LZWDecode ]

@@ -857,9 +872,9 @@ struct pdf_obj *find_obj(struct pdf_struct *pdf, struct pdf_obj *obj, uint32_t o

  *              JD?M$0QP)lKn06l1apKDC@\qJ4B!!(5m+j.7F790m(Vj88l8Q:_CZ(Gm1%X\N1&u!FKHMB~>

  *          endstream

  *      endobj

- * 

+ *

  * Example dictionary with a single key "/Length" that relies on an indirect object for the value.

- * 

+ *

  *      7 0 obj

  *          << /Length 8 0 R >> % An indirect reference to object 8, with generation id 0.

  *          stream

@@ -870,11 +885,11 @@ struct pdf_obj *find_obj(struct pdf_struct *pdf, struct pdf_obj *obj, uint32_t o

  *              ET

  *          endstream

  *      endobj

- * 

+ *

  *      8 0 obj

  *          77 % The length of the preceding stream

  *      endobj

- * 

+ *

  * @param pdf       Pdf context structure.

  * @param obj       Pdf object context structure.

  * @param start     Pointer start of the dictionary string.

@@ -914,12 +929,12 @@ static size_t find_length(struct pdf_struct *pdf, struct pdf_obj *obj, const cha

     if (!obj_start)

         return 0;

-    if (bytes_remaining < obj_start - index) {

+    if (bytes_remaining < (size_t)(obj_start - index)) {

         return 0;

     }

     bytes_remaining -= obj_start - index;

     index = obj_start;

-    

+

     /* Read the value.  This could either be the direct length value,

        or the object id of the indirect object that has the length */

     if (CL_SUCCESS != cli_strntol_wrap(index, bytes_remaining, 0, 10, &temp_long)) {

@@ -931,10 +946,10 @@ static size_t find_length(struct pdf_struct *pdf, struct pdf_obj *obj, const cha

     }

     length = (size_t)temp_long; /* length or maybe object id */

-    /* 

-     * Keep parsing, skipping past the first integer that might have been what we wanted. 

-     * If it's an indirect object, we'll find a Generation ID followed by the letter 'R' 

-     * I.e. something like " 0 R" 

+    /*

+     * Keep parsing, skipping past the first integer that might have been what we wanted.

+     * If it's an indirect object, we'll find a Generation ID followed by the letter 'R'

+     * I.e. something like " 0 R"

      */

     while ((bytes_remaining > 0) && isdigit(*index)) {

         index++;

@@ -966,14 +981,14 @@ static size_t find_length(struct pdf_struct *pdf, struct pdf_obj *obj, const cha

         }

         if (index[0] == ' ' && index[1] == 'R') {

-            /* 

-             * Ok so we found a genid and that 'R'.  Which means that first value 

+            /*

+             * Ok so we found a genid and that 'R'.  Which means that first value

              * was actually the objid.

              * We can look up the indirect object using this information.

              */

             unsigned long objid = length;

             const char* indirect_obj_start = NULL;

-            

+

             cli_dbgmsg("find_length: length is in indirect object %lu %lu\n", objid, genid);

             obj = find_obj(pdf, obj, (length << 8) | (genid&0xff));

@@ -984,15 +999,15 @@ static size_t find_length(struct pdf_struct *pdf, struct pdf_obj *obj, const cha

             indirect_obj_start = pdf->map + obj->start;

             bytes_remaining = pdf->size - obj->start;

-            

+

             /* Ok so we found the indirect object, lets read the value. */

             index = pdf_nextobject(indirect_obj_start, bytes_remaining);

             if (!index) {

                 cli_dbgmsg("find_length: next object not found\n");

                 return 0;

             }

-            

-            if (bytes_remaining < index - indirect_obj_start) {

+

+            if (bytes_remaining < (size_t)(index - indirect_obj_start)) {

                 return 0;

             }

             bytes_remaining -= index - indirect_obj_start;

@@ -1010,7 +1025,7 @@ static size_t find_length(struct pdf_struct *pdf, struct pdf_obj *obj, const cha

     }

     /* limit length */

-    if (obj_start - pdf->map + length + 5 > pdf->size)

+    if ((size_t)(obj_start - pdf->map) + length + 5 > pdf->size)

         length = pdf->size - (obj_start - pdf->map) - 5;

     return length;

@@ -1018,102 +1033,6 @@ static size_t find_length(struct pdf_struct *pdf, struct pdf_obj *obj, const cha

 #define DUMP_MASK ((1 << OBJ_CONTENTS) | (1 << OBJ_FILTER_FLATE) | (1 << OBJ_FILTER_DCT) | (1 << OBJ_FILTER_AH) | (1 << OBJ_FILTER_A85) | (1 << OBJ_EMBEDDED_FILE) | (1 << OBJ_JAVASCRIPT) | (1 << OBJ_OPENACTION) | (1 << OBJ_LAUNCHACTION))

-static int obj_size(struct pdf_struct *pdf, struct pdf_obj *obj, int binary)

-{

-    if (0 == obj->size)

-    {

-        /*

-         * Programmatically determine size if not already known.

-         */

-        unsigned i = 0;

-

-        /* Find the index of the current object */

-        for (i = 0; i < pdf->nobjs; i++) {

-            if (pdf->objs[i] == obj)

-                break;

-        }

-

-        /* Find the next object that exists in the same buffer (pdf fmap, or object stream) */

-        if (i < pdf->nobjs) {

-            i++;

-        }

-

-        if (obj->objstm == NULL) {

-            /* Current object isn't in an object stream, we want to find

-             * the next object that also isn't in an object stream. */

-            for ( ; i < pdf->nobjs; i++) {

-                if (pdf->objs[i]->objstm == NULL)

-                    break;

-            }

-        } else {

-            /* Current object is in an object stream, we want to find

-             * the next object that is in the same object stream.

-             *

-             * This really shouldn't happen, so throw a warning and

-             * then see if we can solve it anyhow */

-            cli_warnmsg("obj_size: Encountered pdf object in an object stream that has an unknown size!!\n");

-

-            for ( ; i < pdf->nobjs; i++) {

-                if (pdf->objs[i]->objstm == obj->objstm)

-                    break;

-            }

-        }

-

-        /* Step backwards from the "next" object to find the end of the current object */

-        if (i < pdf->nobjs) {

-            int s = pdf->objs[i]->start - obj->start - 4;

-            if (s > 0) {

-                if (!binary) {

-                    const char *p = NULL;

-                    const char *q = NULL;

-

-                    if (obj->objstm == NULL) {

-                        p = pdf->map + obj->start;

-                    } else {

-                        p = obj->objstm->streambuf + obj->start;

-                    }

-                    q = p + s;

-

-                    while (q > p && (isspace(*q) || isdigit(*q)))

-                        q--;

-

-                    if (q > p+5 && !memcmp(q-5,"endobj",6))

-                        q -= 6;

-

-                    q = findNextNonWSBack(q, p);

-                    q++;

-

-                    obj->size = q - p;

-                    goto done;

-                }

-

-                obj->size = s;

-                goto done;

-            }

-        }

-

-        /* If we've gotten this far, we didn't find a "next" object... so our 

-         * current object must be at the end of the pdf fmap or the end of the 

-         * object stream. */

-        if (obj->objstm == NULL) {

-            /* Current object isn't in an object stream, so we can determine object 

-             * size based on the remaining size of the file (in theory). */

-            if (binary)

-                obj->size = pdf->size - obj->start;

-            else

-                obj->size = pdf->offset - obj->start - 6; /* This hack I think assumes that we reached the end of the file when finding objects. */

-        } else {

-            /* Current object is in an object stream, we want to find 

-             * the next object that is in the same object stream. */

-            obj->size = obj->objstm->streambuf_len - obj->start;

-        }

-    }

-

-done:

-

-    return obj->size;

-}

-

 static int run_pdf_hooks(struct pdf_struct *pdf, enum pdf_phase phase, int fd, int dumpid)

 {

     int ret;

@@ -1482,330 +1401,328 @@ int pdf_extract_obj(struct pdf_struct *pdf, struct pdf_obj *obj, uint32_t flags)

     if (!(flags & PDF_EXTRACT_OBJ_SCAN))

         obj->path = strdup(fullname);

-    do {

-        if (obj->flags & (1 << OBJ_STREAM)) {

-            const char *start = pdf->map + obj->start;

-            off_t p_stream = 0, p_endstream = 0;

-            off_t length;

+    if ((NULL == obj->objstm) &&

+        (obj->flags & (1 << OBJ_STREAM))) {

+        /*

+         * Object contains a stream. Parse this now.

+         */

+        cli_dbgmsg("pdf_extract_obj: parsing a stream in obj %u %u\n", obj->id>>8, obj->id&0xff);

-            if (NULL != obj->objstm) {

-                cli_warnmsg("pdf_extract_obj: Object found in object stream claims to be an object stream! Skipping.\n");

-                break;

+        const char *start = pdf->map + obj->start;

+

+        size_t length;

+        size_t orig_length;

+        int dict_len = obj->stream - start; /* Dictionary should end where the stream begins */

+

+        const char *pstr;

+        struct pdf_dict *dparams = NULL;

+        struct objstm_struct *objstm = NULL;

+        int xref = 0;

+

+        /* Find and interpret the length dictionary value */

+        length = find_length(pdf, obj, start, dict_len);

+        if (length < 0)

+            length = 0;

+

+        orig_length = length;

+

+        if (length > obj->stream_size) {

+            cli_dbgmsg("cli_pdf: Stream length exceeds object length by %zu bytes. Length truncated to %zu bytes\n", length - obj->stream_size, obj->stream_size);

+            noisy_warnmsg("Stream length exceeds object length by %zu bytes. Length truncated to %zu bytes\n", length - obj->stream_size, obj->stream_size);

+

+            length = obj->stream_size;

+        }

+

+        if (!(obj->flags & (1 << OBJ_FILTER_FLATE)) && (length <= 0)) {

+            /*

+             * If the length is unknown and this doesn't contain a FLATE encoded filter...

+             * Calculate the length using the stream size, and trimming

+             * off any newline/carriage returns from the end of the stream.

+             */

+            const char *q = start + obj->stream_size;

+            length = obj->stream_size;

+            q--;

+

+            if (*q == '\n') {

+                q--;

+                length--;

+

+                if (*q == '\r')