From b4a149570a589aa504802ceed22caad13752aa9c Mon Sep 17 00:00:00 2001 From: Sebastian Rasmussen Date: Sun, 19 Aug 2018 21:26:16 +0800 Subject: Bug 699653: Avoid dropping filter chain once too often in case of error. build_filter_chain_drop() promises to extend (according to the fs argument) the filter chain it is given, or in case of exception throw away the at that point potentially extended filter chain it was given from the beginning. Because build_filter_chain_drop() calls build_filter_drop() for every filter it adds it doesn't need to do any cleanup of the filter chain on its own, that's build_filter_drop()'s responsibility. Prior to this commit fz_catch() in build_filter_chain_drop() which would drop the filter chain one time too many (it was already dropped by build_filter_drop()), causing the callers to use a stale pointer. Now once the extra fz_drop_stream() has been removed the logic works as it ought to, even in the case of exceptions. Thanks to oss-fuzz for reporting. --- source/pdf/pdf-stream.c | 3 --- 1 file changed, 3 deletions(-) (limited to 'source') diff --git a/source/pdf/pdf-stream.c b/source/pdf/pdf-stream.c index 54d3d561..2b2f010d 100644 --- a/source/pdf/pdf-stream.c +++ b/source/pdf/pdf-stream.c @@ -251,10 +251,7 @@ build_filter_chain_drop(fz_context *ctx, fz_stream *chain, pdf_document *doc, pd } } fz_catch(ctx) - { - fz_drop_stream(ctx, chain); fz_rethrow(ctx); - } return chain; } -- cgit v1.2.3