diff options
| author | Robin Watts <robin.watts@artifex.com> | 2013-01-03 16:37:15 +0000 |
|---|---|---|
| committer | Robin Watts <robin.watts@artifex.com> | 2013-01-04 14:25:37 +0000 |
| commit | 1b3cb5fb5cad8eaf43daf4066c28febb4ec12c0b (patch) | |
| tree | 094fe8e11383ae7c9b75e51e5b72c5b06576e3e8 /pdf/mupdf.h | |
| parent | 3333ceb551d107506009e0982023960ceaf9a98f (diff) | |
| download | mupdf-1b3cb5fb5cad8eaf43daf4066c28febb4ec12c0b.tar.xz | |
Bug 693503: Fix stack overflows due to infinite recursion.
If a colorspace refers to itself as a base, we can get an infinite
recursion and hence stack overflow. Thanks to zeniko for pointing out
that this occurs in embedded CMAPs and stitching functions. Also
solved here.
To avoid having to keep a long list of the objects we've traversed
through, extend the pdf_dict_mark functions to work on all pdf objects,
and hence rename them as pdf_obj_mark etc. Thanks to zeniko again for
feedback on this way of working.
Problem found in a test file, 3882.pdf.SIGSEGV.99.3204 supplied
by Mateusz "j00ru" Jurczyk and Gynvael Coldwind of the Google
Security Team using Address Sanitizer. Many thanks!
Diffstat (limited to 'pdf/mupdf.h')
| -rw-r--r-- | pdf/mupdf.h | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/pdf/mupdf.h b/pdf/mupdf.h index 5daba8da..72248017 100644 --- a/pdf/mupdf.h +++ b/pdf/mupdf.h @@ -44,10 +44,10 @@ int pdf_is_stream(pdf_document *doc, int num, int gen); int pdf_objcmp(pdf_obj *a, pdf_obj *b); -/* dict marking and unmarking functions - to avoid infinite recursions */ -int pdf_dict_marked(pdf_obj *obj); -int pdf_dict_mark(pdf_obj *obj); -void pdf_dict_unmark(pdf_obj *obj); +/* obj marking and unmarking functions - to avoid infinite recursions. */ +int pdf_obj_marked(pdf_obj *obj); +int pdf_obj_mark(pdf_obj *obj); +void pdf_obj_unmark(pdf_obj *obj); /* safe, silent failure, no error reporting on type mismatches */ int pdf_to_bool(pdf_obj *obj); |