From bf20683f737a39ccb0e8c74735fdd6805025c987 Mon Sep 17 00:00:00 2001
From: Robin Watts <robin.watts@artifex.com>
Date: Thu, 9 Jan 2014 15:54:48 +0000
Subject: Bug 694878: Fix SEGV due to double free

When constructing a filter chain, we pass ownership of 'chain' inwards.
This means we need to be careful not to double close chain.

This fixes:

 5df97f8539d31745f1c45cc9e1468825_asan_heap-oob_a59afe_1862_225.pdf
 a736faf6f4a34b7ad8eff207ba52aa57_asan_heap-oob_a59dd9_5744_4860.pdf

Thanks to Mateusz Jurczyk and Gynvael Coldwind of the Google Security
Team for providing the fuzzing files.
---
 source/pdf/pdf-stream.c | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

(limited to 'source/pdf/pdf-stream.c')

diff --git a/source/pdf/pdf-stream.c b/source/pdf/pdf-stream.c
index f747a54b..0f568f16 100644
--- a/source/pdf/pdf-stream.c
+++ b/source/pdf/pdf-stream.c
@@ -298,12 +298,22 @@ pdf_open_filter(fz_stream *chain, pdf_document *doc, pdf_obj *stmobj, int num, i
 
 	chain = pdf_open_raw_filter(chain, doc, stmobj, num, num, gen, offset);
 
+	fz_var(chain);
+
 	fz_try(doc->ctx)
 	{
 		if (pdf_is_name(filters))
-			chain = build_filter(chain, doc, filters, params, num, gen, imparams);
+		{
+			fz_stream *chain2 = chain;
+			chain = NULL;
+			chain = build_filter(chain2, doc, filters, params, num, gen, imparams);
+		}
 		else if (pdf_array_len(filters) > 0)
-			chain = build_filter_chain(chain, doc, filters, params, num, gen, imparams);
+		{
+			fz_stream *chain2 = chain;
+			chain = NULL;
+			chain = build_filter_chain(chain2, doc, filters, params, num, gen, imparams);
+		}
 	}
 	fz_catch(doc->ctx)
 	{
-- 
cgit v1.2.3