Bug 693503: Fix leak/illegal memory write caused by stale pointer

When running a softmask, we remove the softmask from the gstate, then run the group contents, then put the softmask back. If the gstate stack is moved in the meantime (due to it being realloced for extension), we can end up with it being moved. We therefore must recalculate gstate before writing again. Problem found in a test file, pdf_001/2599.pdf.asan.58.1778 supplied by Mateusz "j00ru" Jurczyk and Gynvael Coldwind of the Google Security Team using Address Sanitizer. Many thanks!
author: Robin Watts <robin.watts@artifex.com> 2012-12-24 15:51:21 +0000
committer: Robin Watts <robin.watts@artifex.com> 2013-01-02 12:26:43 +0000
commit: 9e92b5bb54700e1e4e77bde517d45820d383db8e (patch)
tree: 2e3fddc789f3e8e4d0778aa7dfd0a6be2ff9dd69
parent: 12f83ab602f913e8e34aab5348339bccc8ace53e (diff)
download: mupdf-9e92b5bb54700e1e4e77bde517d45820d383db8e.tar.xz
1 files changed, 1 insertions, 0 deletions
diff --git a/pdf/pdf_interpret.c b/pdf/pdf_interpret.c
index 067380c5..e2a21a11 100644
--- a/pdf/pdf_interpret.c
+++ b/pdf/pdf_interpret.c
@@ -354,6 +354,7 @@ pdf_begin_group(pdf_csi *csi, fz_rect bbox)
 
 		fz_end_mask(csi->dev);
 
+		gstate = csi->gstate + csi->gtop;
 		gstate->softmask = softmask;
 		gstate->ctm = save_ctm;
 	}
author	Robin Watts <robin.watts@artifex.com>	2012-12-24 15:51:21 +0000
committer	Robin Watts <robin.watts@artifex.com>	2013-01-02 12:26:43 +0000
commit	9e92b5bb54700e1e4e77bde517d45820d383db8e (patch)
tree	2e3fddc789f3e8e4d0778aa7dfd0a6be2ff9dd69
parent	12f83ab602f913e8e34aab5348339bccc8ace53e (diff)
download	mupdf-9e92b5bb54700e1e4e77bde517d45820d383db8e.tar.xz