diff --git a/poppler/XRef.cc b/poppler/XRef.cc
index 3564807..fb12dcf 100644
--- a/poppler/XRef.cc
+++ b/poppler/XRef.cc
@@ -719,6 +719,10 @@ GBool XRef::readXRefStreamSection(Stream *xrefStr, int *w, int first, int n) {
       error(errSyntaxError, -1, "Invalid 'size' inside xref table");
       return gFalse;
     }
+    if (first + n > size) {
+      error(errSyntaxError, -1, "Invalid 'first' or 'n' inside xref table");
+      return gFalse;
+    }
   }
   for (i = first; i < first + n; ++i) {
     if (w[0] == 0) {
@@ -1085,6 +1089,8 @@ Object *XRef::fetch(int num, int gen, Object *obj, int recursion) {
 	objStr = NULL;
 	goto err;
       } else {
+        // XRef could be reconstructed in constructor od ObjectStream:
+        e = getEntry(num);
 	ObjectStreamKey *newkey = new ObjectStreamKey(e->offset);
 	ObjectStreamItem *newitem = new ObjectStreamItem(objStr);
 	objStrs->put(newkey, newitem);