From 22685a3e50098360a599ec344b9ae470ce740313 Mon Sep 17 00:00:00 2001 From: Robin Watts Date: Sun, 27 Apr 2014 23:40:34 +0100 Subject: Bug 695171: Pointer error when padding an fz_concat machine When we return the padding byte in an fz_concat stream, ensure that we remember to increment rp to point just past in. If not, then we'll read 2 whitespace chars out. This is fine unless we try and fz_unread_byte the first one, when we'll leave rp pointing to an out of buffer address. Credit to Malc for the bisecting/debugging that got me to the fix. Many thanks. --- source/fitz/filter-basic.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source') diff --git a/source/fitz/filter-basic.c b/source/fitz/filter-basic.c index 5defe066..3673226d 100644 --- a/source/fitz/filter-basic.c +++ b/source/fitz/filter-basic.c @@ -126,7 +126,7 @@ next_concat(fz_stream *stm, int max) fz_close(state->chain[state->current-1]); if (state->pad) { - stm->rp = &state->ws_buf; + stm->rp = (&state->ws_buf)+1; stm->wp = stm->rp + 1; stm->pos++; return 32; -- cgit v1.2.3