From ef3cfb2a49b5be82d56d783f505319754dc65cb8 Mon Sep 17 00:00:00 2001
From: Tor Andersson <tor.andersson@artifex.com>
Date: Wed, 28 Mar 2018 15:17:27 +0200
Subject: Don't implicitly drop in fz_open_* chained filters.

---
 source/fitz/filter-predict.c | 52 +++++++++++++++++++-------------------------
 1 file changed, 22 insertions(+), 30 deletions(-)

(limited to 'source/fitz/filter-predict.c')

diff --git a/source/fitz/filter-predict.c b/source/fitz/filter-predict.c
index 24007bfe..e00e07fd 100644
--- a/source/fitz/filter-predict.c
+++ b/source/fitz/filter-predict.c
@@ -226,9 +226,7 @@ close_predict(fz_context *ctx, void *state_)
 fz_stream *
 fz_open_predict(fz_context *ctx, fz_stream *chain, int predictor, int columns, int colors, int bpc)
 {
-	fz_predict *state = NULL;
-
-	fz_var(state);
+	fz_predict *state;
 
 	if (predictor < 1)
 		predictor = 1;
@@ -239,34 +237,30 @@ fz_open_predict(fz_context *ctx, fz_stream *chain, int predictor, int columns, i
 	if (bpc < 1)
 		bpc = 8;
 
-	fz_try(ctx)
+	if (bpc != 1 && bpc != 2 && bpc != 4 && bpc != 8 && bpc != 16)
+		fz_throw(ctx, FZ_ERROR_GENERIC, "invalid number of bits per component: %d", bpc);
+	if (colors > FZ_MAX_COLORS)
+		fz_throw(ctx, FZ_ERROR_GENERIC, "too many color components (%d > %d)", colors, FZ_MAX_COLORS);
+	if (columns >= INT_MAX / (bpc * colors))
+		fz_throw(ctx, FZ_ERROR_GENERIC, "too many columns lead to an integer overflow (%d)", columns);
+
+	if (predictor != 1 && predictor != 2 &&
+			predictor != 10 && predictor != 11 &&
+			predictor != 12 && predictor != 13 &&
+			predictor != 14 && predictor != 15)
 	{
-		if (bpc != 1 && bpc != 2 && bpc != 4 && bpc != 8 && bpc != 16)
-			fz_throw(ctx, FZ_ERROR_GENERIC, "invalid number of bits per component: %d", bpc);
-		if (colors > FZ_MAX_COLORS)
-			fz_throw(ctx, FZ_ERROR_GENERIC, "too many color components (%d > %d)", colors, FZ_MAX_COLORS);
-		if (columns >= INT_MAX / (bpc * colors))
-			fz_throw(ctx, FZ_ERROR_GENERIC, "too many columns lead to an integer overflow (%d)", columns);
-
-		state = fz_malloc_struct(ctx, fz_predict);
-		state->in = NULL;
-		state->out = NULL;
-		state->chain = chain;
+		fz_warn(ctx, "invalid predictor: %d", predictor);
+		predictor = 1;
+	}
 
+	state = fz_malloc_struct(ctx, fz_predict);
+	fz_try(ctx)
+	{
 		state->predictor = predictor;
 		state->columns = columns;
 		state->colors = colors;
 		state->bpc = bpc;
 
-		if (state->predictor != 1 && state->predictor != 2 &&
-			state->predictor != 10 && state->predictor != 11 &&
-			state->predictor != 12 && state->predictor != 13 &&
-			state->predictor != 14 && state->predictor != 15)
-		{
-			fz_warn(ctx, "invalid predictor: %d", state->predictor);
-			state->predictor = 1;
-		}
-
 		state->stride = (state->bpc * state->colors * state->columns + 7) / 8;
 		state->bpp = (state->bpc * state->colors + 7) / 8;
 
@@ -277,16 +271,14 @@ fz_open_predict(fz_context *ctx, fz_stream *chain, int predictor, int columns, i
 		state->wp = state->out;
 
 		memset(state->ref, 0, state->stride);
+
+		state->chain = fz_keep_stream(ctx, chain);
 	}
 	fz_catch(ctx)
 	{
-		if (state)
-		{
-			fz_free(ctx, state->in);
-			fz_free(ctx, state->out);
-		}
+		fz_free(ctx, state->in);
+		fz_free(ctx, state->out);
 		fz_free(ctx, state);
-		fz_drop_stream(ctx, chain);
 		fz_rethrow(ctx);
 	}
 
-- 
cgit v1.2.3