Bug 693503: Fix leak of pdf object.

When parsing a (broken) PDF stream, we can forget an existing
parsed object when we parse another one. Check for us having
one and free it if we do.

Problem found in a test file, 3289.pdf.asan.77.2545 supplied
by Mateusz "j00ru" Jurczyk and Gynvael Coldwind of the Google
Security Team using Address Sanitizer. Many thanks!

1 files changed, 15 insertions, 0 deletions

diff --git a/pdf/pdf_interpret.c b/pdf/pdf_interpret.c
index e2a21a11..9f81d629 100644
--- a/pdf/pdf_interpret.c
+++ b/pdf/pdf_interpret.c
@@ -2686,6 +2686,11 @@ pdf_run_stream(pdf_csi *csi, pdf_obj *rdb, fz_stream *file, pdf_lexbuf *buf)
 				case PDF_TOK_OPEN_ARRAY:
 					if (!csi->in_text)
 					{
+						if (csi->obj)
+						{
+							pdf_drop_obj(csi->obj);
+							csi->obj = NULL;
+						}
 						csi->obj = pdf_parse_array(csi->xref, file, buf);
 					}
 					else
@@ -2695,6 +2700,11 @@ pdf_run_stream(pdf_csi *csi, pdf_obj *rdb, fz_stream *file, pdf_lexbuf *buf)
 					break;
 
 				case PDF_TOK_OPEN_DICT:
+					if (csi->obj)
+					{
+						pdf_drop_obj(csi->obj);
+						csi->obj = NULL;
+					}
 					csi->obj = pdf_parse_dict(csi->xref, file, buf);
 					break;
 
@@ -2728,6 +2738,11 @@ pdf_run_stream(pdf_csi *csi, pdf_obj *rdb, fz_stream *file, pdf_lexbuf *buf)
 					}
 					else
 					{
+						if (csi->obj)
+						{
+							pdf_drop_obj(csi->obj);
+							csi->obj = NULL;
+						}
 						csi->obj = pdf_new_string(ctx, buf->scratch, buf->len);
 					}
 					break;