diff options
| author | Sebastian Rasmussen <sebras@gmail.com> | 2018-08-05 22:00:06 +0800 |
|---|---|---|
| committer | Sebastian Rasmussen <sebras@gmail.com> | 2018-08-10 13:54:32 +0800 |
| commit | 6f8cb5606e426084160eaec82e9c11966e7fb5f4 (patch) | |
| tree | 45f80a2cca7be037a3a983b5bad5ad99b0c2da5c /source | |
| parent | db6823cd748a65930b778dd3859a6fe99f38be96 (diff) | |
| download | mupdf-6f8cb5606e426084160eaec82e9c11966e7fb5f4.tar.xz | |
Bug 699629: Avoid referencing stale/moved nodes in CMap splay tree.
Thanks to oss-fuzz for reporting.
Diffstat (limited to 'source')
| -rw-r--r-- | source/pdf/pdf-cmap.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/source/pdf/pdf-cmap.c b/source/pdf/pdf-cmap.c index 0764e32b..5593f967 100644 --- a/source/pdf/pdf-cmap.c +++ b/source/pdf/pdf-cmap.c @@ -543,6 +543,12 @@ add_range(fz_context *ctx, pdf_cmap *cmap, unsigned int low, unsigned int high, tree[current].low = high + 1; if (tree[current].low > tree[current].high) { + /* update lt/gt references that will be moved/stale after deleting current */ + if (gt == cmap->tlen - 1) + gt = current; + if (lt == cmap->tlen - 1) + lt = current; + /* delete_node() moves the element at cmap->tlen-1 into current */ move = delete_node(cmap, current); current = EMPTY; continue; |