summaryrefslogtreecommitdiff
path: root/source
diff options
context:
space:
mode:
authorSebastian Rasmussen <sebras@gmail.com>2017-09-25 13:04:11 +0200
committerSebastian Rasmussen <sebras@gmail.com>2017-09-25 15:08:25 +0200
commitc2663e51238ec8256da7fc61ad580db891d9fe9a (patch)
tree82d8431cd8083857bf7eb640a33989e87c6765bb /source
parent32a7ebd389cbd2df02034400c7536ab8330984ca (diff)
downloadmupdf-c2663e51238ec8256da7fc61ad580db891d9fe9a.tar.xz
Bug 698592: Mark variable fz_var(), avoiding optimization.
The change in 2707fa9e8e6d17d794330e719dec1b08161fb045 in build_filter_chain() allows for the variable chain to reside in a register, which means that the bug is likely to only be visible if built under optimization. First the chain variable is transferred to chain2, then set to NULL, then when an exception occurs in build_filter() the filter chain will be freed by build_filter(). Next the expectation is that execution proceeds to fz_catch() where fz_drop_stream() would be called with chain == NULL. However due to the chain variable residing in a register, its value is not NULL as expected, but was reset to its original value upon the exception (since they use setjmp()), hence fz_drop_stream() is called with a non-NULL value. Marking the chain variable with fz_var() prevents the compiler from allowing the chain variable to reside in a register and hence its value will remain NULL and never be reset.
Diffstat (limited to 'source')
-rw-r--r--source/pdf/pdf-stream.c2
1 files changed, 2 insertions, 0 deletions
diff --git a/source/pdf/pdf-stream.c b/source/pdf/pdf-stream.c
index baf9f0a6..56592b06 100644
--- a/source/pdf/pdf-stream.c
+++ b/source/pdf/pdf-stream.c
@@ -246,6 +246,8 @@ build_filter_chain(fz_context *ctx, fz_stream *chain, pdf_document *doc, pdf_obj
pdf_obj *p;
int i, n;
+ fz_var(chain);
+
fz_try(ctx)
{
n = pdf_array_len(ctx, fs);