diff options
| author | Robin Watts <robin.watts@artifex.com> | 2013-07-01 15:30:07 +0100 |
|---|---|---|
| committer | Robin Watts <robin.watts@artifex.com> | 2013-07-01 15:58:00 +0100 |
| commit | 10ffbc1df88eb370a73aca6b07cc797db2690b97 (patch) | |
| tree | 9443e39d278b17eb84dd14261dc65c189b40f755 /include | |
| parent | 7adb94c1d814b57fd6c1696dfdc7c259191540a8 (diff) | |
| download | mupdf-10ffbc1df88eb370a73aca6b07cc797db2690b97.tar.xz | |
Bug 694382: Fix use-after-free due to type3 fonts.
Thanks to zeniko for spotting the problem here.
Type 3 fonts contain a reference to the resources objects required
to render the glyphs. Traditionally these have been freed when the
font is freed. Unfortunately, after recent changes, freeing a PDF
object requires the pdf_document concerned to still exist.
While in most cases the type 3 resources are not used after we have
converted the type3 glyphs to display lists, this is not always the
case. For uncachable Type 3 glyphs (such as those that do not
completely define elements in the graphics state that they use, such
as color or line width), we end up running the glyphs at interpretation
time.
[ Interpretation time = when doing a direct render on the main thread,
or when creating a display list - so also on the main thread. No
multi-threading issues with file access here. ]
The fix implemented here is for each pdf document to keep a list of
the type3 fonts it has created, and to 'decouple' them from the
document when the document is destroyed. The sole effect of this
decoupling is to remove the resources (and the PDF operator buffers)
from the font. These are only ever used during interpretation, and
no further interpretations are possible without the document being
alive anyway, so this should have no net effect on operation, other
than allowing cleanup to proceed cleanly later on.
Diffstat (limited to 'include')
| -rw-r--r-- | include/mupdf/fitz/font.h | 2 | ||||
| -rw-r--r-- | include/mupdf/pdf/document.h | 4 |
2 files changed, 6 insertions, 0 deletions
diff --git a/include/mupdf/fitz/font.h b/include/mupdf/fitz/font.h index 00588d13..38f6c697 100644 --- a/include/mupdf/fitz/font.h +++ b/include/mupdf/fitz/font.h @@ -78,6 +78,8 @@ void fz_set_font_bbox(fz_context *ctx, fz_font *font, float xmin, float ymin, fl fz_rect *fz_bound_glyph(fz_context *ctx, fz_font *font, int gid, const fz_matrix *trm, fz_rect *r); int fz_glyph_cacheable(fz_context *ctx, fz_font *font, int gid); +void fz_decouple_type3_font(fz_context *ctx, fz_font *font, void *t3doc); + #ifndef NDEBUG void fz_print_font(fz_context *ctx, FILE *out, fz_font *font); #endif diff --git a/include/mupdf/pdf/document.h b/include/mupdf/pdf/document.h index 736ae4e5..c65fe893 100644 --- a/include/mupdf/pdf/document.h +++ b/include/mupdf/pdf/document.h @@ -206,6 +206,10 @@ struct pdf_document_s pdf_doc_event_cb *event_cb; void *event_cb_data; + + int num_type3_fonts; + int max_type3_fonts; + fz_font **type3_fonts; }; /* |