diff options
| author | Robin Watts <robin.watts@artifex.com> | 2014-01-14 15:45:14 +0000 |
|---|---|---|
| committer | Robin Watts <robin.watts@artifex.com> | 2014-01-16 15:38:17 +0000 |
| commit | 0ba1b9055a18bad2c2249c711d971bfaf1283251 (patch) | |
| tree | 70c1faec6644535c98d4edd594670e7aa1d2e710 /source/pdf | |
| parent | 68416d07f5a867fd9278d273bc5e35ee8c98b5b1 (diff) | |
| download | mupdf-0ba1b9055a18bad2c2249c711d971bfaf1283251.tar.xz | |
Bug 694894: Avoid throwing away an object while in use.
When we call to execute a pattern, we clear out the pdf_csi (the
interpreter state). This involves clearing the stack and throwing
away the record of the object we have just parsed.
Unfortunately, when filling glyphs with a pattern, that object is
still in use. We therefore amend the pdf_run_contents_stream to
safely stash the object away and restore it afterwards.
This solves this problem, and protects us against any other similar
problems that might also arise.
This solves:
b8e2b57991896bf8120215cfbf7b54bb_asan_heap-uaf_86064f_2362_2587.pdf
Thanks to Mateusz Jurczyk and Gynvael Coldwind of the Google Security
Team for providing the example files.
Diffstat (limited to 'source/pdf')
| -rw-r--r-- | source/pdf/pdf-interpret.c | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/source/pdf/pdf-interpret.c b/source/pdf/pdf-interpret.c index 71dcbd4e..eeb2f371 100644 --- a/source/pdf/pdf-interpret.c +++ b/source/pdf/pdf-interpret.c @@ -2954,6 +2954,7 @@ pdf_run_contents_stream(pdf_csi *csi, pdf_obj *rdb, fz_stream *file) pdf_lexbuf *buf; int save_in_text; int save_gbot; + pdf_obj *save_obj; fz_var(buf); @@ -2966,10 +2967,17 @@ pdf_run_contents_stream(pdf_csi *csi, pdf_obj *rdb, fz_stream *file) csi->in_text = 0; save_gbot = csi->gbot; csi->gbot = csi->gtop; + save_obj = csi->obj; + csi->obj = NULL; fz_try(ctx) { pdf_run_stream(csi, rdb, file, buf); } + fz_always(ctx) + { + pdf_drop_obj(csi->obj); + csi->obj = save_obj; + } fz_catch(ctx) { fz_rethrow_if(ctx, FZ_ERROR_TRYLATER); |