diff options
author | Robin Watts <robin.watts@artifex.com> | 2014-01-09 15:54:48 +0000 |
---|---|---|
committer | Robin Watts <robin.watts@artifex.com> | 2014-01-09 17:03:51 +0000 |
commit | bf20683f737a39ccb0e8c74735fdd6805025c987 (patch) | |
tree | 201b76123a723631999db1b7ab8786406ac12e37 /source/pdf/pdf-stream.c | |
parent | 818db87cfa20034cf5215eb640110065acc2c92c (diff) | |
download | mupdf-bf20683f737a39ccb0e8c74735fdd6805025c987.tar.xz |
Bug 694878: Fix SEGV due to double free
When constructing a filter chain, we pass ownership of 'chain' inwards.
This means we need to be careful not to double close chain.
This fixes:
5df97f8539d31745f1c45cc9e1468825_asan_heap-oob_a59afe_1862_225.pdf
a736faf6f4a34b7ad8eff207ba52aa57_asan_heap-oob_a59dd9_5744_4860.pdf
Thanks to Mateusz Jurczyk and Gynvael Coldwind of the Google Security
Team for providing the fuzzing files.
Diffstat (limited to 'source/pdf/pdf-stream.c')
-rw-r--r-- | source/pdf/pdf-stream.c | 14 |
1 files changed, 12 insertions, 2 deletions
diff --git a/source/pdf/pdf-stream.c b/source/pdf/pdf-stream.c index f747a54b..0f568f16 100644 --- a/source/pdf/pdf-stream.c +++ b/source/pdf/pdf-stream.c @@ -298,12 +298,22 @@ pdf_open_filter(fz_stream *chain, pdf_document *doc, pdf_obj *stmobj, int num, i chain = pdf_open_raw_filter(chain, doc, stmobj, num, num, gen, offset); + fz_var(chain); + fz_try(doc->ctx) { if (pdf_is_name(filters)) - chain = build_filter(chain, doc, filters, params, num, gen, imparams); + { + fz_stream *chain2 = chain; + chain = NULL; + chain = build_filter(chain2, doc, filters, params, num, gen, imparams); + } else if (pdf_array_len(filters) > 0) - chain = build_filter_chain(chain, doc, filters, params, num, gen, imparams); + { + fz_stream *chain2 = chain; + chain = NULL; + chain = build_filter_chain(chain2, doc, filters, params, num, gen, imparams); + } } fz_catch(doc->ctx) { |