From 0ba1b9055a18bad2c2249c711d971bfaf1283251 Mon Sep 17 00:00:00 2001 From: Robin Watts Date: Tue, 14 Jan 2014 15:45:14 +0000 Subject: Bug 694894: Avoid throwing away an object while in use. When we call to execute a pattern, we clear out the pdf_csi (the interpreter state). This involves clearing the stack and throwing away the record of the object we have just parsed. Unfortunately, when filling glyphs with a pattern, that object is still in use. We therefore amend the pdf_run_contents_stream to safely stash the object away and restore it afterwards. This solves this problem, and protects us against any other similar problems that might also arise. This solves: b8e2b57991896bf8120215cfbf7b54bb_asan_heap-uaf_86064f_2362_2587.pdf Thanks to Mateusz Jurczyk and Gynvael Coldwind of the Google Security Team for providing the example files. --- source/pdf/pdf-interpret.c | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'source/pdf/pdf-interpret.c') diff --git a/source/pdf/pdf-interpret.c b/source/pdf/pdf-interpret.c index 71dcbd4e..eeb2f371 100644 --- a/source/pdf/pdf-interpret.c +++ b/source/pdf/pdf-interpret.c @@ -2954,6 +2954,7 @@ pdf_run_contents_stream(pdf_csi *csi, pdf_obj *rdb, fz_stream *file) pdf_lexbuf *buf; int save_in_text; int save_gbot; + pdf_obj *save_obj; fz_var(buf); @@ -2966,10 +2967,17 @@ pdf_run_contents_stream(pdf_csi *csi, pdf_obj *rdb, fz_stream *file) csi->in_text = 0; save_gbot = csi->gbot; csi->gbot = csi->gtop; + save_obj = csi->obj; + csi->obj = NULL; fz_try(ctx) { pdf_run_stream(csi, rdb, file, buf); } + fz_always(ctx) + { + pdf_drop_obj(csi->obj); + csi->obj = save_obj; + } fz_catch(ctx) { fz_rethrow_if(ctx, FZ_ERROR_TRYLATER); -- cgit v1.2.3