From 1ed27a8243b5335040a4d9d9fac9d239a13b0602 Mon Sep 17 00:00:00 2001 From: Robin Watts Date: Fri, 28 Feb 2014 15:04:35 +0000 Subject: Fix potential illegal access. pdf_flush_text can cause the list of gstates to be extended. This can in turn cause them to move in memory. This means that any gstate pointers already held can be invalidated. Update the code to allow for this. --- source/pdf/pdf-interpret.c | 36 +++++++++++++++++++----------------- 1 file changed, 19 insertions(+), 17 deletions(-) diff --git a/source/pdf/pdf-interpret.c b/source/pdf/pdf-interpret.c index 02094fef..c01d7ea5 100644 --- a/source/pdf/pdf-interpret.c +++ b/source/pdf/pdf-interpret.c @@ -673,7 +673,7 @@ pdf_show_path(pdf_csi *csi, int doclose, int dofill, int dostroke, int even_odd) * Assemble and emit text */ -static void +static pdf_gstate * pdf_flush_text(pdf_csi *csi) { pdf_gstate *gstate = csi->gstate + csi->gtop; @@ -686,7 +686,7 @@ pdf_flush_text(pdf_csi *csi) softmask_save softmask = { NULL }; if (!csi->text) - return; + return gstate; text = csi->text; csi->text = NULL; @@ -798,6 +798,8 @@ pdf_flush_text(pdf_csi *csi) { fz_rethrow(ctx); } + + return csi->gstate + csi->gtop; } static void @@ -871,7 +873,7 @@ pdf_show_char(pdf_csi *csi, int cid) gstate->render != csi->text_mode || render_direct) { - pdf_flush_text(csi); + gstate = pdf_flush_text(csi); csi->text = fz_new_text(ctx, fontdesc->font, &trm, fontdesc->wmode); csi->text->trm.e = 0; @@ -1265,10 +1267,10 @@ static void pdf_set_colorspace(pdf_csi *csi, int what, fz_colorspace *colorspace) { fz_context *ctx = csi->dev->ctx; - pdf_gstate *gs = csi->gstate + csi->gtop; + pdf_gstate *gs; pdf_material *mat; - pdf_flush_text(csi); + gs = pdf_flush_text(csi); mat = what == PDF_FILL ? &gs->fill : &gs->stroke; @@ -1294,11 +1296,11 @@ static void pdf_set_color(pdf_csi *csi, int what, float *v) { fz_context *ctx = csi->dev->ctx; - pdf_gstate *gs = csi->gstate + csi->gtop; + pdf_gstate *gs; pdf_material *mat; int i; - pdf_flush_text(csi); + gs = pdf_flush_text(csi); mat = what == PDF_FILL ? &gs->fill : &gs->stroke; @@ -1323,10 +1325,10 @@ static void pdf_set_shade(pdf_csi *csi, int what, fz_shade *shade) { fz_context *ctx = csi->dev->ctx; - pdf_gstate *gs = csi->gstate + csi->gtop; + pdf_gstate *gs; pdf_material *mat; - pdf_flush_text(csi); + gs = pdf_flush_text(csi); mat = what == PDF_FILL ? &gs->fill : &gs->stroke; @@ -1341,10 +1343,10 @@ static void pdf_set_pattern(pdf_csi *csi, int what, pdf_pattern *pat, float *v) { fz_context *ctx = csi->dev->ctx; - pdf_gstate *gs = csi->gstate + csi->gtop; + pdf_gstate *gs; pdf_material *mat; - pdf_flush_text(csi); + gs = pdf_flush_text(csi); mat = what == PDF_FILL ? &gs->fill : &gs->stroke; @@ -1661,11 +1663,11 @@ static void pdf_run_extgstate(pdf_csi *csi, pdf_obj *rdb, pdf_obj *extgstate) { fz_context *ctx = csi->dev->ctx; - pdf_gstate *gstate = csi->gstate + csi->gtop; + pdf_gstate *gstate; fz_colorspace *colorspace; int i, k, n; - pdf_flush_text(csi); + gstate = pdf_flush_text(csi); n = pdf_dict_len(extgstate); for (i = 0; i < n; i++) @@ -2234,9 +2236,9 @@ static void pdf_run_Tw(pdf_csi *csi) static void pdf_run_Tz(pdf_csi *csi) { - pdf_gstate *gstate = csi->gstate + csi->gtop; + pdf_gstate *gstate; float a = csi->stack[0] / 100; - pdf_flush_text(csi); + gstate = pdf_flush_text(csi); gstate->scale = a; } @@ -2583,8 +2585,8 @@ static void pdf_run_v(pdf_csi *csi) static void pdf_run_w(pdf_csi *csi) { - pdf_gstate *gstate = csi->gstate + csi->gtop; - pdf_flush_text(csi); /* linewidth affects stroked text rendering mode */ + pdf_gstate *gstate; + gstate = pdf_flush_text(csi); /* linewidth affects stroked text rendering mode */ csi->dev->flags &= ~FZ_DEVFLAG_LINEWIDTH_UNDEFINED; gstate->stroke_state = fz_unshare_stroke_state(csi->dev->ctx, gstate->stroke_state); gstate->stroke_state->linewidth = csi->stack[0]; -- cgit v1.2.3