diff options
author | Robin Watts <robin.watts@artifex.com> | 2014-02-28 15:04:35 +0000 |
---|---|---|
committer | Robin Watts <robin.watts@artifex.com> | 2014-02-28 15:09:19 +0000 |
commit | 1ed27a8243b5335040a4d9d9fac9d239a13b0602 (patch) | |
tree | 7563f4de62fb3bae2dc7f340868267e64ee5cb79 | |
parent | 096272252c0d00449bb68c7fddecc13ec2cecdd0 (diff) | |
download | mupdf-1ed27a8243b5335040a4d9d9fac9d239a13b0602.tar.xz |
Fix potential illegal access.
pdf_flush_text can cause the list of gstates to be extended. This
can in turn cause them to move in memory. This means that any
gstate pointers already held can be invalidated.
Update the code to allow for this.
-rw-r--r-- | source/pdf/pdf-interpret.c | 36 |
1 files changed, 19 insertions, 17 deletions
diff --git a/source/pdf/pdf-interpret.c b/source/pdf/pdf-interpret.c index 02094fef..c01d7ea5 100644 --- a/source/pdf/pdf-interpret.c +++ b/source/pdf/pdf-interpret.c @@ -673,7 +673,7 @@ pdf_show_path(pdf_csi *csi, int doclose, int dofill, int dostroke, int even_odd) * Assemble and emit text */ -static void +static pdf_gstate * pdf_flush_text(pdf_csi *csi) { pdf_gstate *gstate = csi->gstate + csi->gtop; @@ -686,7 +686,7 @@ pdf_flush_text(pdf_csi *csi) softmask_save softmask = { NULL }; if (!csi->text) - return; + return gstate; text = csi->text; csi->text = NULL; @@ -798,6 +798,8 @@ pdf_flush_text(pdf_csi *csi) { fz_rethrow(ctx); } + + return csi->gstate + csi->gtop; } static void @@ -871,7 +873,7 @@ pdf_show_char(pdf_csi *csi, int cid) gstate->render != csi->text_mode || render_direct) { - pdf_flush_text(csi); + gstate = pdf_flush_text(csi); csi->text = fz_new_text(ctx, fontdesc->font, &trm, fontdesc->wmode); csi->text->trm.e = 0; @@ -1265,10 +1267,10 @@ static void pdf_set_colorspace(pdf_csi *csi, int what, fz_colorspace *colorspace) { fz_context *ctx = csi->dev->ctx; - pdf_gstate *gs = csi->gstate + csi->gtop; + pdf_gstate *gs; pdf_material *mat; - pdf_flush_text(csi); + gs = pdf_flush_text(csi); mat = what == PDF_FILL ? &gs->fill : &gs->stroke; @@ -1294,11 +1296,11 @@ static void pdf_set_color(pdf_csi *csi, int what, float *v) { fz_context *ctx = csi->dev->ctx; - pdf_gstate *gs = csi->gstate + csi->gtop; + pdf_gstate *gs; pdf_material *mat; int i; - pdf_flush_text(csi); + gs = pdf_flush_text(csi); mat = what == PDF_FILL ? &gs->fill : &gs->stroke; @@ -1323,10 +1325,10 @@ static void pdf_set_shade(pdf_csi *csi, int what, fz_shade *shade) { fz_context *ctx = csi->dev->ctx; - pdf_gstate *gs = csi->gstate + csi->gtop; + pdf_gstate *gs; pdf_material *mat; - pdf_flush_text(csi); + gs = pdf_flush_text(csi); mat = what == PDF_FILL ? &gs->fill : &gs->stroke; @@ -1341,10 +1343,10 @@ static void pdf_set_pattern(pdf_csi *csi, int what, pdf_pattern *pat, float *v) { fz_context *ctx = csi->dev->ctx; - pdf_gstate *gs = csi->gstate + csi->gtop; + pdf_gstate *gs; pdf_material *mat; - pdf_flush_text(csi); + gs = pdf_flush_text(csi); mat = what == PDF_FILL ? &gs->fill : &gs->stroke; @@ -1661,11 +1663,11 @@ static void pdf_run_extgstate(pdf_csi *csi, pdf_obj *rdb, pdf_obj *extgstate) { fz_context *ctx = csi->dev->ctx; - pdf_gstate *gstate = csi->gstate + csi->gtop; + pdf_gstate *gstate; fz_colorspace *colorspace; int i, k, n; - pdf_flush_text(csi); + gstate = pdf_flush_text(csi); n = pdf_dict_len(extgstate); for (i = 0; i < n; i++) @@ -2234,9 +2236,9 @@ static void pdf_run_Tw(pdf_csi *csi) static void pdf_run_Tz(pdf_csi *csi) { - pdf_gstate *gstate = csi->gstate + csi->gtop; + pdf_gstate *gstate; float a = csi->stack[0] / 100; - pdf_flush_text(csi); + gstate = pdf_flush_text(csi); gstate->scale = a; } @@ -2583,8 +2585,8 @@ static void pdf_run_v(pdf_csi *csi) static void pdf_run_w(pdf_csi *csi) { - pdf_gstate *gstate = csi->gstate + csi->gtop; - pdf_flush_text(csi); /* linewidth affects stroked text rendering mode */ + pdf_gstate *gstate; + gstate = pdf_flush_text(csi); /* linewidth affects stroked text rendering mode */ csi->dev->flags &= ~FZ_DEVFLAG_LINEWIDTH_UNDEFINED; gstate->stroke_state = fz_unshare_stroke_state(csi->dev->ctx, gstate->stroke_state); gstate->stroke_state->linewidth = csi->stack[0]; |