From 527afcaa0744472d7ad2ef84ce79ab34a036ad85 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Simon=20B=C3=BCnzli?= Date: Wed, 4 Sep 2013 14:04:39 +0200 Subject: Bug 694567: prevent double-free in pdf_open_raw_filter If opening a filter in pdf_open_crypt throws, the stream is closed in the used fz_open_* method and thus mustn't be closed again. --- source/fitz/filter-basic.c | 5 ++++- source/pdf/pdf-stream.c | 14 +++----------- 2 files changed, 7 insertions(+), 12 deletions(-) (limited to 'source') diff --git a/source/fitz/filter-basic.c b/source/fitz/filter-basic.c index 3968d193..4e64d016 100644 --- a/source/fitz/filter-basic.c +++ b/source/fitz/filter-basic.c @@ -639,9 +639,11 @@ close_aesd(fz_context *ctx, void *state_) fz_stream * fz_open_aesd(fz_stream *chain, unsigned char *key, unsigned keylen) { - fz_aesd *state; + fz_aesd *state = NULL; fz_context *ctx = chain->ctx; + fz_var(state); + fz_try(ctx) { state = fz_malloc_struct(ctx, fz_aesd); @@ -654,6 +656,7 @@ fz_open_aesd(fz_stream *chain, unsigned char *key, unsigned keylen) } fz_catch(ctx) { + fz_free(ctx, state); fz_close(chain); fz_rethrow(ctx); } diff --git a/source/pdf/pdf-stream.c b/source/pdf/pdf-stream.c index a46cdcc7..88a7559f 100644 --- a/source/pdf/pdf-stream.c +++ b/source/pdf/pdf-stream.c @@ -244,17 +244,9 @@ pdf_open_raw_filter(fz_stream *chain, pdf_document *doc, pdf_obj *stmobj, int nu len = pdf_to_int(pdf_dict_gets(stmobj, "Length")); chain = fz_open_null(chain, len, offset); - fz_try(ctx) - { - hascrypt = pdf_stream_has_crypt(ctx, stmobj); - if (doc->crypt && !hascrypt) - chain = pdf_open_crypt(chain, doc->crypt, orig_num, orig_gen); - } - fz_catch(ctx) - { - fz_close(chain); - fz_rethrow(ctx); - } + hascrypt = pdf_stream_has_crypt(ctx, stmobj); + if (doc->crypt && !hascrypt) + chain = pdf_open_crypt(chain, doc->crypt, orig_num, orig_gen); return chain; } -- cgit v1.2.3