From 98a111c8e49916f8f5ac21d11f4627540f9ddd49 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Simon=20B=C3=BCnzli?= Date: Wed, 8 Jan 2014 18:59:41 +0100 Subject: prevent heap access violation in pdf_cache_object pdf_load_obj_stm may resize the xref if it finds further objects in the stream, that might however invalidate any pdf_xref_entry hold such as the one in pdf_cache_object. This can be seen e.g. with 7ac3ad9ddad98d10b947a43cf640062f_asan_heap-uaf_930b78_1007_1675.pdf Thanks to Mateusz Jurczyk and Gynvael Coldwind of the Google Security Team for providing the example files. --- source/pdf/pdf-xref.c | 1 + 1 file changed, 1 insertion(+) diff --git a/source/pdf/pdf-xref.c b/source/pdf/pdf-xref.c index 2afe4de8..7391f115 100644 --- a/source/pdf/pdf-xref.c +++ b/source/pdf/pdf-xref.c @@ -1690,6 +1690,7 @@ object_updated: { fz_rethrow_message(ctx, "cannot load object stream containing object (%d %d R)", num, gen); } + x = pdf_get_xref_entry(doc, num); if (!x->obj) fz_throw(ctx, FZ_ERROR_GENERIC, "object (%d %d R) was not found in its object stream", num, gen); } -- cgit v1.2.3