Bug 693290: Fix use after free in obj stream handling.

Thanks to zeniko for pointing this out. If we encounter a new definition
for a given object (presumably due to a repair operation), we used to
throw the old one away, and keep the new one. This could cause any
current holders of the object to be left with a stale pointer.

Now we throw the new one away and keep the old one - with a warning
if they are different.

1 files changed, 12 insertions, 3 deletions

diff --git a/pdf/pdf_xref.c b/pdf/pdf_xref.c
index 4f19428d..0f47cdaa 100644
--- a/pdf/pdf_xref.c
+++ b/pdf/pdf_xref.c
@@ -995,9 +995,18 @@ pdf_load_obj_stm(pdf_document *xref, int num, int gen, pdf_lexbuf *buf)
 
 			if (xref->table[numbuf[i]].type == 'o' && xref->table[numbuf[i]].ofs == num)
 			{
-				if (xref->table[numbuf[i]].obj)
-					pdf_drop_obj(xref->table[numbuf[i]].obj);
-				xref->table[numbuf[i]].obj = obj;
+				/* If we already have an entry for this object,
+				 * we'd like to drop it and use the new one -
+				 * but this means that anyone currently holding
+				 * a pointer to the old one will be left with a
+				 * stale pointer. Instead, we drop the new one
+				 * and trust that the old one is correct. */
+				if (xref->table[numbuf[i]].obj) {
+					if (pdf_objcmp(xref->table[numbuf[i]].obj, obj))
+						fz_warn(ctx, "Encountered new definition for object %d - keeping the original one", numbuf[i]);
+					pdf_drop_obj(obj);
+				} else
+					xref->table[numbuf[i]].obj = obj;
 			}
 			else
 			{