diff options
author | Robin Watts <robin.watts@artifex.com> | 2012-12-24 15:51:21 +0000 |
---|---|---|
committer | Robin Watts <robin.watts@artifex.com> | 2013-01-02 12:26:43 +0000 |
commit | 9e92b5bb54700e1e4e77bde517d45820d383db8e (patch) | |
tree | 2e3fddc789f3e8e4d0778aa7dfd0a6be2ff9dd69 /fitz/doc_interactive.c | |
parent | 12f83ab602f913e8e34aab5348339bccc8ace53e (diff) | |
download | mupdf-9e92b5bb54700e1e4e77bde517d45820d383db8e.tar.xz |
Bug 693503: Fix leak/illegal memory write caused by stale pointer
When running a softmask, we remove the softmask from the gstate,
then run the group contents, then put the softmask back.
If the gstate stack is moved in the meantime (due to it being
realloced for extension), we can end up with it being moved.
We therefore must recalculate gstate before writing again.
Problem found in a test file, pdf_001/2599.pdf.asan.58.1778 supplied
by Mateusz "j00ru" Jurczyk and Gynvael Coldwind of the Google
Security Team using Address Sanitizer. Many thanks!
Diffstat (limited to 'fitz/doc_interactive.c')
0 files changed, 0 insertions, 0 deletions