diff options
author | Robin Watts <robin.watts@artifex.com> | 2014-01-14 15:45:14 +0000 |
---|---|---|
committer | Robin Watts <robin.watts@artifex.com> | 2014-01-16 15:38:17 +0000 |
commit | 0ba1b9055a18bad2c2249c711d971bfaf1283251 (patch) | |
tree | 70c1faec6644535c98d4edd594670e7aa1d2e710 /source/pdf/pdf-event.c | |
parent | 68416d07f5a867fd9278d273bc5e35ee8c98b5b1 (diff) | |
download | mupdf-0ba1b9055a18bad2c2249c711d971bfaf1283251.tar.xz |
Bug 694894: Avoid throwing away an object while in use.
When we call to execute a pattern, we clear out the pdf_csi (the
interpreter state). This involves clearing the stack and throwing
away the record of the object we have just parsed.
Unfortunately, when filling glyphs with a pattern, that object is
still in use. We therefore amend the pdf_run_contents_stream to
safely stash the object away and restore it afterwards.
This solves this problem, and protects us against any other similar
problems that might also arise.
This solves:
b8e2b57991896bf8120215cfbf7b54bb_asan_heap-uaf_86064f_2362_2587.pdf
Thanks to Mateusz Jurczyk and Gynvael Coldwind of the Google Security
Team for providing the example files.
Diffstat (limited to 'source/pdf/pdf-event.c')
0 files changed, 0 insertions, 0 deletions