diff options
| author | Simon Bünzli <zeniko@gmail.com> | 2014-01-08 18:59:41 +0100 |
|---|---|---|
| committer | Robin Watts <robin.watts@artifex.com> | 2014-01-08 18:10:06 +0000 |
| commit | 98a111c8e49916f8f5ac21d11f4627540f9ddd49 (patch) | |
| tree | afd7545fbecf226252e31e45e8c30b6717cc07e6 /source | |
| parent | bdb5cdee34edc38e47bf9b3a9830830d072f0c91 (diff) | |
| download | mupdf-98a111c8e49916f8f5ac21d11f4627540f9ddd49.tar.xz | |
prevent heap access violation in pdf_cache_object
pdf_load_obj_stm may resize the xref if it finds further objects in the
stream, that might however invalidate any pdf_xref_entry hold such as
the one in pdf_cache_object. This can be seen e.g. with
7ac3ad9ddad98d10b947a43cf640062f_asan_heap-uaf_930b78_1007_1675.pdf
Thanks to Mateusz Jurczyk and Gynvael Coldwind of the Google Security
Team for providing the example files.
Diffstat (limited to 'source')
| -rw-r--r-- | source/pdf/pdf-xref.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/source/pdf/pdf-xref.c b/source/pdf/pdf-xref.c index 2afe4de8..7391f115 100644 --- a/source/pdf/pdf-xref.c +++ b/source/pdf/pdf-xref.c @@ -1690,6 +1690,7 @@ object_updated: { fz_rethrow_message(ctx, "cannot load object stream containing object (%d %d R)", num, gen); } + x = pdf_get_xref_entry(doc, num); if (!x->obj) fz_throw(ctx, FZ_ERROR_GENERIC, "object (%d %d R) was not found in its object stream", num, gen); } |