From 1ec022b2c58c361a19c18a15c2512fa06e5c328d Mon Sep 17 00:00:00 2001 From: Sebastian Rasmussen Date: Thu, 13 Sep 2018 18:31:38 +0800 Subject: Bug 699768: Drop default colorspaces even if page transformation fails. pdf_page_transform() may throw due to a cycle in the page tree. When this happened mupdf would previously forget to drop the default colorspaces obtained, after this commit they are dropped. Thanks to oss-fuzz for reporting. --- source/pdf/pdf-run.c | 28 ++++++++++++++-------------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/source/pdf/pdf-run.c b/source/pdf/pdf-run.c index 4d607cc7..b0364435 100644 --- a/source/pdf/pdf-run.c +++ b/source/pdf/pdf-run.c @@ -16,23 +16,23 @@ pdf_run_annot_with_usage(fz_context *ctx, pdf_document *doc, pdf_page *page, pdf if (default_cs) fz_set_default_colorspaces(ctx, dev, default_cs); - pdf_page_transform(ctx, page, &mediabox, &page_ctm); - - flags = pdf_dict_get_int(ctx, annot->obj, PDF_NAME(F)); - if (flags & PDF_ANNOT_IS_NO_ROTATE) + fz_try(ctx) { - int rotate = pdf_to_int(ctx, pdf_dict_get_inheritable(ctx, page->obj, PDF_NAME(Rotate))); - fz_rect rect = pdf_dict_get_rect(ctx, annot->obj, PDF_NAME(Rect)); - fz_point tp = fz_transform_point_xy(rect.x0, rect.y1, page_ctm); - page_ctm = fz_concat(page_ctm, fz_translate(-tp.x, -tp.y)); - page_ctm = fz_concat(page_ctm, fz_rotate(-rotate)); - page_ctm = fz_concat(page_ctm, fz_translate(tp.x, tp.y)); - } + pdf_page_transform(ctx, page, &mediabox, &page_ctm); + + flags = pdf_dict_get_int(ctx, annot->obj, PDF_NAME(F)); + if (flags & PDF_ANNOT_IS_NO_ROTATE) + { + int rotate = pdf_to_int(ctx, pdf_dict_get_inheritable(ctx, page->obj, PDF_NAME(Rotate))); + fz_rect rect = pdf_dict_get_rect(ctx, annot->obj, PDF_NAME(Rect)); + fz_point tp = fz_transform_point_xy(rect.x0, rect.y1, page_ctm); + page_ctm = fz_concat(page_ctm, fz_translate(-tp.x, -tp.y)); + page_ctm = fz_concat(page_ctm, fz_rotate(-rotate)); + page_ctm = fz_concat(page_ctm, fz_translate(tp.x, tp.y)); + } - ctm = fz_concat(page_ctm, ctm); + ctm = fz_concat(page_ctm, ctm); - fz_try(ctx) - { proc = pdf_new_run_processor(ctx, dev, ctm, usage, NULL, default_cs); pdf_process_annot(ctx, proc, doc, page, annot, cookie); pdf_close_processor(ctx, proc); -- cgit v1.2.3