diff options
author | Simon Bünzli <zeniko@gmail.com> | 2013-09-04 14:04:39 +0200 |
---|---|---|
committer | Robin Watts <robin.watts@artifex.com> | 2013-09-10 14:09:01 +0100 |
commit | 527afcaa0744472d7ad2ef84ce79ab34a036ad85 (patch) | |
tree | 0486bc583d3c98ef1ec673724905b81935b9e9a0 | |
parent | dc45e762170a9b642af588d1c067757ae6a6c683 (diff) | |
download | mupdf-527afcaa0744472d7ad2ef84ce79ab34a036ad85.tar.xz |
Bug 694567: prevent double-free in pdf_open_raw_filter
If opening a filter in pdf_open_crypt throws, the stream is closed in
the used fz_open_* method and thus mustn't be closed again.
-rw-r--r-- | source/fitz/filter-basic.c | 5 | ||||
-rw-r--r-- | source/pdf/pdf-stream.c | 14 |
2 files changed, 7 insertions, 12 deletions
diff --git a/source/fitz/filter-basic.c b/source/fitz/filter-basic.c index 3968d193..4e64d016 100644 --- a/source/fitz/filter-basic.c +++ b/source/fitz/filter-basic.c @@ -639,9 +639,11 @@ close_aesd(fz_context *ctx, void *state_) fz_stream * fz_open_aesd(fz_stream *chain, unsigned char *key, unsigned keylen) { - fz_aesd *state; + fz_aesd *state = NULL; fz_context *ctx = chain->ctx; + fz_var(state); + fz_try(ctx) { state = fz_malloc_struct(ctx, fz_aesd); @@ -654,6 +656,7 @@ fz_open_aesd(fz_stream *chain, unsigned char *key, unsigned keylen) } fz_catch(ctx) { + fz_free(ctx, state); fz_close(chain); fz_rethrow(ctx); } diff --git a/source/pdf/pdf-stream.c b/source/pdf/pdf-stream.c index a46cdcc7..88a7559f 100644 --- a/source/pdf/pdf-stream.c +++ b/source/pdf/pdf-stream.c @@ -244,17 +244,9 @@ pdf_open_raw_filter(fz_stream *chain, pdf_document *doc, pdf_obj *stmobj, int nu len = pdf_to_int(pdf_dict_gets(stmobj, "Length")); chain = fz_open_null(chain, len, offset); - fz_try(ctx) - { - hascrypt = pdf_stream_has_crypt(ctx, stmobj); - if (doc->crypt && !hascrypt) - chain = pdf_open_crypt(chain, doc->crypt, orig_num, orig_gen); - } - fz_catch(ctx) - { - fz_close(chain); - fz_rethrow(ctx); - } + hascrypt = pdf_stream_has_crypt(ctx, stmobj); + if (doc->crypt && !hascrypt) + chain = pdf_open_crypt(chain, doc->crypt, orig_num, orig_gen); return chain; } |