diff options
| author | Sebastian Rasmussen <sebras@gmail.com> | 2018-08-19 21:26:16 +0800 |
|---|---|---|
| committer | Sebastian Rasmussen <sebras@gmail.com> | 2018-08-22 19:38:02 +0800 |
| commit | b4a149570a589aa504802ceed22caad13752aa9c (patch) | |
| tree | 1b4b49425c3f994900c47154e0058b86f41a06a3 | |
| parent | c7d14ca6453d4dd2e8b3f433fbea17232231f4fd (diff) | |
| download | mupdf-b4a149570a589aa504802ceed22caad13752aa9c.tar.xz | |
Bug 699653: Avoid dropping filter chain once too often in case of error.
build_filter_chain_drop() promises to extend (according to the
fs argument) the filter chain it is given, or in case of exception
throw away the at that point potentially extended filter chain it
was given from the beginning.
Because build_filter_chain_drop() calls build_filter_drop() for
every filter it adds it doesn't need to do any cleanup of the
filter chain on its own, that's build_filter_drop()'s responsibility.
Prior to this commit fz_catch() in build_filter_chain_drop() which
would drop the filter chain one time too many (it was already dropped
by build_filter_drop()), causing the callers to use a stale pointer.
Now once the extra fz_drop_stream() has been removed the logic works
as it ought to, even in the case of exceptions. Thanks to oss-fuzz
for reporting.
| -rw-r--r-- | source/pdf/pdf-stream.c | 3 |
1 files changed, 0 insertions, 3 deletions
diff --git a/source/pdf/pdf-stream.c b/source/pdf/pdf-stream.c index 54d3d561..2b2f010d 100644 --- a/source/pdf/pdf-stream.c +++ b/source/pdf/pdf-stream.c @@ -251,10 +251,7 @@ build_filter_chain_drop(fz_context *ctx, fz_stream *chain, pdf_document *doc, pd } } fz_catch(ctx) - { - fz_drop_stream(ctx, chain); fz_rethrow(ctx); - } return chain; } |