From 944a6aff121475d1db07423fe97a72fa1ded3f40 Mon Sep 17 00:00:00 2001
From: Tor Andersson <tor.andersson@artifex.com>
Date: Wed, 29 Jun 2016 11:55:31 +0200
Subject: pdf: Check ownership when adding objects to a document.

---
 source/pdf/pdf-object.c | 10 +++++++++-
 source/pdf/pdf-xref.c   |  5 +++++
 2 files changed, 14 insertions(+), 1 deletion(-)

(limited to 'source/pdf')

diff --git a/source/pdf/pdf-object.c b/source/pdf/pdf-object.c
index 176b0933..5d990210 100644
--- a/source/pdf/pdf-object.c
+++ b/source/pdf/pdf-object.c
@@ -625,7 +625,7 @@ pdf_array_get(fz_context *ctx, pdf_obj *obj, int i)
 
 static void prepare_object_for_alteration(fz_context *ctx, pdf_obj *obj, pdf_obj *val)
 {
-	pdf_document *doc;
+	pdf_document *doc, *val_doc;
 	int parent;
 
 	/*
@@ -648,6 +648,14 @@ static void prepare_object_for_alteration(fz_context *ctx, pdf_obj *obj, pdf_obj
 	default:
 		return;
 	}
+
+	if (val)
+	{
+		val_doc = pdf_get_bound_document(ctx, val);
+		if (doc && val_doc && val_doc != doc)
+			fz_throw(ctx, FZ_ERROR_GENERIC, "container and item belong to different documents");
+	}
+
 	/*
 		parent_num = 0 while an object is being parsed from the file.
 		No further action is necessary.
diff --git a/source/pdf/pdf-xref.c b/source/pdf/pdf-xref.c
index 0365e7a7..117e4f1c 100644
--- a/source/pdf/pdf-xref.c
+++ b/source/pdf/pdf-xref.c
@@ -2699,7 +2699,12 @@ pdf_document *pdf_specifics(fz_context *ctx, fz_document *doc)
 pdf_obj *
 pdf_add_object(fz_context *ctx, pdf_document *doc, pdf_obj *obj)
 {
+	pdf_document *orig_doc;
 	int num;
+
+	orig_doc = pdf_get_bound_document(ctx, obj);
+	if (orig_doc && orig_doc != doc)
+		fz_throw(ctx, FZ_ERROR_GENERIC, "tried to add an object belonging to a different document");
 	if (pdf_is_indirect(ctx, obj))
 		return pdf_keep_obj(ctx, obj);
 	num = pdf_create_object(ctx, doc);
-- 
cgit v1.2.3