prevent heap access violation in pdf_cache_object

pdf_load_obj_stm may resize the xref if it finds further objects in the stream, that might however invalidate any pdf_xref_entry hold such as the one in pdf_cache_object. This can be seen e.g. with 7ac3ad9ddad98d10b947a43cf640062f_asan_heap-uaf_930b78_1007_1675.pdf Thanks to Mateusz Jurczyk and Gynvael Coldwind of the Google Security Team for providing the example files.
author: Simon Bünzli <zeniko@gmail.com> 2014-01-08 18:59:41 +0100
committer: Robin Watts <robin.watts@artifex.com> 2014-01-08 18:10:06 +0000
commit: 98a111c8e49916f8f5ac21d11f4627540f9ddd49 (patch)
tree: afd7545fbecf226252e31e45e8c30b6717cc07e6
parent: bdb5cdee34edc38e47bf9b3a9830830d072f0c91 (diff)
download: mupdf-98a111c8e49916f8f5ac21d11f4627540f9ddd49.tar.xz
1 files changed, 1 insertions, 0 deletions
diff --git a/source/pdf/pdf-xref.c b/source/pdf/pdf-xref.c
index 2afe4de8..7391f115 100644
--- a/source/pdf/pdf-xref.c
+++ b/source/pdf/pdf-xref.c
@@ -1690,6 +1690,7 @@ object_updated:
 			{
 				fz_rethrow_message(ctx, "cannot load object stream containing object (%d %d R)", num, gen);
 			}
+			x = pdf_get_xref_entry(doc, num);
 			if (!x->obj)
 				fz_throw(ctx, FZ_ERROR_GENERIC, "object (%d %d R) was not found in its object stream", num, gen);
 		}
author	Simon Bünzli <zeniko@gmail.com>	2014-01-08 18:59:41 +0100
committer	Robin Watts <robin.watts@artifex.com>	2014-01-08 18:10:06 +0000
commit	98a111c8e49916f8f5ac21d11f4627540f9ddd49 (patch)
tree	afd7545fbecf226252e31e45e8c30b6717cc07e6
parent	bdb5cdee34edc38e47bf9b3a9830830d072f0c91 (diff)
download	mupdf-98a111c8e49916f8f5ac21d11f4627540f9ddd49.tar.xz