diff options
author | Robin Watts <robin.watts@artifex.com> | 2012-12-13 12:21:40 +0000 |
---|---|---|
committer | Robin Watts <robin.watts@artifex.com> | 2012-12-13 12:25:29 +0000 |
commit | 085ba5b10d18e3edf15a1f6ecc064af401e6d89d (patch) | |
tree | 5e603a676fde02a0b668c97b940ad1c4819fc1d3 /pdf | |
parent | e1d2edc18d76259dd70209fecb8bdab4700918e8 (diff) | |
download | mupdf-085ba5b10d18e3edf15a1f6ecc064af401e6d89d.tar.xz |
Bug 693290: Fix use after free in obj stream handling.
Thanks to zeniko for pointing this out. If we encounter a new definition
for a given object (presumably due to a repair operation), we used to
throw the old one away, and keep the new one. This could cause any
current holders of the object to be left with a stale pointer.
Now we throw the new one away and keep the old one - with a warning
if they are different.
Diffstat (limited to 'pdf')
-rw-r--r-- | pdf/pdf_xref.c | 15 |
1 files changed, 12 insertions, 3 deletions
diff --git a/pdf/pdf_xref.c b/pdf/pdf_xref.c index 4f19428d..0f47cdaa 100644 --- a/pdf/pdf_xref.c +++ b/pdf/pdf_xref.c @@ -995,9 +995,18 @@ pdf_load_obj_stm(pdf_document *xref, int num, int gen, pdf_lexbuf *buf) if (xref->table[numbuf[i]].type == 'o' && xref->table[numbuf[i]].ofs == num) { - if (xref->table[numbuf[i]].obj) - pdf_drop_obj(xref->table[numbuf[i]].obj); - xref->table[numbuf[i]].obj = obj; + /* If we already have an entry for this object, + * we'd like to drop it and use the new one - + * but this means that anyone currently holding + * a pointer to the old one will be left with a + * stale pointer. Instead, we drop the new one + * and trust that the old one is correct. */ + if (xref->table[numbuf[i]].obj) { + if (pdf_objcmp(xref->table[numbuf[i]].obj, obj)) + fz_warn(ctx, "Encountered new definition for object %d - keeping the original one", numbuf[i]); + pdf_drop_obj(obj); + } else + xref->table[numbuf[i]].obj = obj; } else { |