summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRobin Watts <robin.watts@artifex.com>2014-02-28 15:04:35 +0000
committerRobin Watts <robin.watts@artifex.com>2014-02-28 15:09:19 +0000
commit1ed27a8243b5335040a4d9d9fac9d239a13b0602 (patch)
tree7563f4de62fb3bae2dc7f340868267e64ee5cb79
parent096272252c0d00449bb68c7fddecc13ec2cecdd0 (diff)
downloadmupdf-1ed27a8243b5335040a4d9d9fac9d239a13b0602.tar.xz
Fix potential illegal access.
pdf_flush_text can cause the list of gstates to be extended. This can in turn cause them to move in memory. This means that any gstate pointers already held can be invalidated. Update the code to allow for this.
-rw-r--r--source/pdf/pdf-interpret.c36
1 files changed, 19 insertions, 17 deletions
diff --git a/source/pdf/pdf-interpret.c b/source/pdf/pdf-interpret.c
index 02094fef..c01d7ea5 100644
--- a/source/pdf/pdf-interpret.c
+++ b/source/pdf/pdf-interpret.c
@@ -673,7 +673,7 @@ pdf_show_path(pdf_csi *csi, int doclose, int dofill, int dostroke, int even_odd)
* Assemble and emit text
*/
-static void
+static pdf_gstate *
pdf_flush_text(pdf_csi *csi)
{
pdf_gstate *gstate = csi->gstate + csi->gtop;
@@ -686,7 +686,7 @@ pdf_flush_text(pdf_csi *csi)
softmask_save softmask = { NULL };
if (!csi->text)
- return;
+ return gstate;
text = csi->text;
csi->text = NULL;
@@ -798,6 +798,8 @@ pdf_flush_text(pdf_csi *csi)
{
fz_rethrow(ctx);
}
+
+ return csi->gstate + csi->gtop;
}
static void
@@ -871,7 +873,7 @@ pdf_show_char(pdf_csi *csi, int cid)
gstate->render != csi->text_mode ||
render_direct)
{
- pdf_flush_text(csi);
+ gstate = pdf_flush_text(csi);
csi->text = fz_new_text(ctx, fontdesc->font, &trm, fontdesc->wmode);
csi->text->trm.e = 0;
@@ -1265,10 +1267,10 @@ static void
pdf_set_colorspace(pdf_csi *csi, int what, fz_colorspace *colorspace)
{
fz_context *ctx = csi->dev->ctx;
- pdf_gstate *gs = csi->gstate + csi->gtop;
+ pdf_gstate *gs;
pdf_material *mat;
- pdf_flush_text(csi);
+ gs = pdf_flush_text(csi);
mat = what == PDF_FILL ? &gs->fill : &gs->stroke;
@@ -1294,11 +1296,11 @@ static void
pdf_set_color(pdf_csi *csi, int what, float *v)
{
fz_context *ctx = csi->dev->ctx;
- pdf_gstate *gs = csi->gstate + csi->gtop;
+ pdf_gstate *gs;
pdf_material *mat;
int i;
- pdf_flush_text(csi);
+ gs = pdf_flush_text(csi);
mat = what == PDF_FILL ? &gs->fill : &gs->stroke;
@@ -1323,10 +1325,10 @@ static void
pdf_set_shade(pdf_csi *csi, int what, fz_shade *shade)
{
fz_context *ctx = csi->dev->ctx;
- pdf_gstate *gs = csi->gstate + csi->gtop;
+ pdf_gstate *gs;
pdf_material *mat;
- pdf_flush_text(csi);
+ gs = pdf_flush_text(csi);
mat = what == PDF_FILL ? &gs->fill : &gs->stroke;
@@ -1341,10 +1343,10 @@ static void
pdf_set_pattern(pdf_csi *csi, int what, pdf_pattern *pat, float *v)
{
fz_context *ctx = csi->dev->ctx;
- pdf_gstate *gs = csi->gstate + csi->gtop;
+ pdf_gstate *gs;
pdf_material *mat;
- pdf_flush_text(csi);
+ gs = pdf_flush_text(csi);
mat = what == PDF_FILL ? &gs->fill : &gs->stroke;
@@ -1661,11 +1663,11 @@ static void
pdf_run_extgstate(pdf_csi *csi, pdf_obj *rdb, pdf_obj *extgstate)
{
fz_context *ctx = csi->dev->ctx;
- pdf_gstate *gstate = csi->gstate + csi->gtop;
+ pdf_gstate *gstate;
fz_colorspace *colorspace;
int i, k, n;
- pdf_flush_text(csi);
+ gstate = pdf_flush_text(csi);
n = pdf_dict_len(extgstate);
for (i = 0; i < n; i++)
@@ -2234,9 +2236,9 @@ static void pdf_run_Tw(pdf_csi *csi)
static void pdf_run_Tz(pdf_csi *csi)
{
- pdf_gstate *gstate = csi->gstate + csi->gtop;
+ pdf_gstate *gstate;
float a = csi->stack[0] / 100;
- pdf_flush_text(csi);
+ gstate = pdf_flush_text(csi);
gstate->scale = a;
}
@@ -2583,8 +2585,8 @@ static void pdf_run_v(pdf_csi *csi)
static void pdf_run_w(pdf_csi *csi)
{
- pdf_gstate *gstate = csi->gstate + csi->gtop;
- pdf_flush_text(csi); /* linewidth affects stroked text rendering mode */
+ pdf_gstate *gstate;
+ gstate = pdf_flush_text(csi); /* linewidth affects stroked text rendering mode */
csi->dev->flags &= ~FZ_DEVFLAG_LINEWIDTH_UNDEFINED;
gstate->stroke_state = fz_unshare_stroke_state(csi->dev->ctx, gstate->stroke_state);
gstate->stroke_state->linewidth = csi->stack[0];