diff options
| author | Robin Watts <robin.watts@artifex.com> | 2013-01-03 16:37:15 +0000 |
|---|---|---|
| committer | Robin Watts <robin.watts@artifex.com> | 2013-01-04 14:25:37 +0000 |
| commit | 1b3cb5fb5cad8eaf43daf4066c28febb4ec12c0b (patch) | |
| tree | 094fe8e11383ae7c9b75e51e5b72c5b06576e3e8 /pdf/pdf_interpret.c | |
| parent | 3333ceb551d107506009e0982023960ceaf9a98f (diff) | |
| download | mupdf-1b3cb5fb5cad8eaf43daf4066c28febb4ec12c0b.tar.xz | |
Bug 693503: Fix stack overflows due to infinite recursion.
If a colorspace refers to itself as a base, we can get an infinite
recursion and hence stack overflow. Thanks to zeniko for pointing out
that this occurs in embedded CMAPs and stitching functions. Also
solved here.
To avoid having to keep a long list of the objects we've traversed
through, extend the pdf_dict_mark functions to work on all pdf objects,
and hence rename them as pdf_obj_mark etc. Thanks to zeniko again for
feedback on this way of working.
Problem found in a test file, 3882.pdf.SIGSEGV.99.3204 supplied
by Mateusz "j00ru" Jurczyk and Gynvael Coldwind of the Google
Security Team using Address Sanitizer. Many thanks!
Diffstat (limited to 'pdf/pdf_interpret.c')
| -rw-r--r-- | pdf/pdf_interpret.c | 12 |
1 files changed, 6 insertions, 6 deletions
diff --git a/pdf/pdf_interpret.c b/pdf/pdf_interpret.c index 9f81d629..860ad62d 100644 --- a/pdf/pdf_interpret.c +++ b/pdf/pdf_interpret.c @@ -155,7 +155,7 @@ pdf_is_hidden_ocg(pdf_obj *ocg, pdf_csi *csi, pdf_obj *rdb) fz_context *ctx = csi->dev->ctx; /* Avoid infinite recursions */ - if (pdf_dict_marked(ocg)) + if (pdf_obj_marked(ocg)) return 0; /* If no ocg descriptor, everything is visible */ @@ -277,8 +277,8 @@ pdf_is_hidden_ocg(pdf_obj *ocg, pdf_csi *csi, pdf_obj *rdb) combine = 0; } - if (pdf_dict_mark(ocg)) - fz_throw(ctx, "Failed to mark OCG - out of memory?"); + if (pdf_obj_mark(ocg)) + return 0; /* Should never happen */ fz_try(ctx) { obj = pdf_dict_gets(ocg, "OCGs"); @@ -307,7 +307,7 @@ pdf_is_hidden_ocg(pdf_obj *ocg, pdf_csi *csi, pdf_obj *rdb) } fz_always(ctx) { - pdf_dict_unmark(ocg); + pdf_obj_unmark(ocg); } fz_catch(ctx) { @@ -1387,7 +1387,7 @@ pdf_run_xobject(pdf_csi *csi, pdf_obj *resources, pdf_xobject *xobj, fz_matrix t int popmask; /* Avoid infinite recursion */ - if (xobj == NULL || pdf_dict_mark(xobj->me)) + if (xobj == NULL || pdf_obj_mark(xobj->me)) return; fz_var(gstate); @@ -1477,7 +1477,7 @@ pdf_run_xobject(pdf_csi *csi, pdf_obj *resources, pdf_xobject *xobj, fz_matrix t pdf_grestore(csi); } - pdf_dict_unmark(xobj->me); + pdf_obj_unmark(xobj->me); } fz_catch(ctx) { |