summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSimon Bünzli <zeniko@gmail.com>2013-09-04 14:04:39 +0200
committerRobin Watts <robin.watts@artifex.com>2013-09-10 14:09:01 +0100
commit527afcaa0744472d7ad2ef84ce79ab34a036ad85 (patch)
tree0486bc583d3c98ef1ec673724905b81935b9e9a0
parentdc45e762170a9b642af588d1c067757ae6a6c683 (diff)
downloadmupdf-527afcaa0744472d7ad2ef84ce79ab34a036ad85.tar.xz
Bug 694567: prevent double-free in pdf_open_raw_filter
If opening a filter in pdf_open_crypt throws, the stream is closed in the used fz_open_* method and thus mustn't be closed again.
Diffstat
-rw-r--r--source/fitz/filter-basic.c5
-rw-r--r--source/pdf/pdf-stream.c14
2 files changed, 7 insertions, 12 deletions
diff --git a/source/fitz/filter-basic.c b/source/fitz/filter-basic.c
index 3968d193..4e64d016 100644
--- a/source/fitz/filter-basic.c
+++ b/source/fitz/filter-basic.c
@@ -639,9 +639,11 @@ close_aesd(fz_context *ctx, void *state_)
fz_stream *
fz_open_aesd(fz_stream *chain, unsigned char *key, unsigned keylen)
{
- fz_aesd *state;
+ fz_aesd *state = NULL;
fz_context *ctx = chain->ctx;
+ fz_var(state);
+
fz_try(ctx)
{
state = fz_malloc_struct(ctx, fz_aesd);
@@ -654,6 +656,7 @@ fz_open_aesd(fz_stream *chain, unsigned char *key, unsigned keylen)
}
fz_catch(ctx)
{
+ fz_free(ctx, state);
fz_close(chain);
fz_rethrow(ctx);
}
diff --git a/source/pdf/pdf-stream.c b/source/pdf/pdf-stream.c
index a46cdcc7..88a7559f 100644
--- a/source/pdf/pdf-stream.c
+++ b/source/pdf/pdf-stream.c
@@ -244,17 +244,9 @@ pdf_open_raw_filter(fz_stream *chain, pdf_document *doc, pdf_obj *stmobj, int nu
len = pdf_to_int(pdf_dict_gets(stmobj, "Length"));
chain = fz_open_null(chain, len, offset);
- fz_try(ctx)
- {
- hascrypt = pdf_stream_has_crypt(ctx, stmobj);
- if (doc->crypt && !hascrypt)
- chain = pdf_open_crypt(chain, doc->crypt, orig_num, orig_gen);
- }
- fz_catch(ctx)
- {
- fz_close(chain);
- fz_rethrow(ctx);
- }
+ hascrypt = pdf_stream_has_crypt(ctx, stmobj);
+ if (doc->crypt && !hascrypt)
+ chain = pdf_open_crypt(chain, doc->crypt, orig_num, orig_gen);
return chain;
}
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-01 08:08:41 +0000