From 1e03c06456d997435019fb3526fa2d4be7dbc6ec Mon Sep 17 00:00:00 2001 From: Robin Watts Date: Thu, 22 Sep 2016 13:44:45 +0100 Subject: Bug 697015: Avoid object references vanishing during repair. A PDF repair can be triggered 'just in time', when we encounter a problem in the file. The idea is that this can happen without the enclosing code being aware of it. Thus the enclosing code may be holding 'borrowed' references (such as those returned by pdf_dict_get()) at the time when the repair is triggered. We are therefore at pains to ensure that the repair does not replace any objects that exist already, so that the calling code will not have these references unexpectedly invalidated. The sole exception to this is when we replace the 'Length' fields in stream dictionaries with the actual lengths. Bug 697015 shows exactly this situation causing a reference to become invalid. The solution implemented here is to add an 'orphan list' to the document, where we put these (hopefully few, small) objects. These orphans are kept around until the document is closed. --- source/pdf/pdf-xref.c | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'source/pdf/pdf-xref.c') diff --git a/source/pdf/pdf-xref.c b/source/pdf/pdf-xref.c index 7d21775a..0cf20d4c 100644 --- a/source/pdf/pdf-xref.c +++ b/source/pdf/pdf-xref.c @@ -1620,6 +1620,12 @@ pdf_drop_document_imp(fz_context *ctx, pdf_document *doc) pdf_drop_resource_tables(ctx, doc); + for (i = 0; i < doc->orphans_count; i++) + { + pdf_drop_obj(ctx, doc->orphans[i]); + } + fz_free(ctx, doc->orphans); + fz_free(ctx, doc); } fz_always(ctx) -- cgit v1.2.3