From 0233af4f241c712b41a5d5dfc337cdfce8c63bc9 Mon Sep 17 00:00:00 2001
From: Lei Zhang <thestig@chromium.org>
Date: Thu, 18 Oct 2018 17:46:52 +0000
Subject: Push/pop the graphics state stack when flattening.

When FPDFPage_Flatten() manipulates a content stream, it replaces the
content stream with a content stream array. The first element in the
array is the original content stream and the second element in the array
is the flattened annotations content. To make sure the original content
stream's graphics state stack does not affect the flattened annotations,
FPDFPage_Flatten() rewrites the original content stream to be:

q
$contents
Q

When FPDFPage_Flatten() manipulates a content stream array, it just
appends the flattened annotations as a new element in the array. This
may result in graphics state stack leaking out.

To fix this, wrap the content stream array to be:

["q", $content1, ..., $contentN, "Q"]

And then append the flattened annotations.

BUG=chromium:896366

Change-Id: Ic6499e39eb4c9f1fe45d037622bf02be724b6cae
Reviewed-on: https://pdfium-review.googlesource.com/c/44252
Commit-Queue: Lei Zhang <thestig@chromium.org>
Reviewed-by: Tom Sepez <tsepez@chromium.org>
---
 fpdfsdk/fpdf_flatten.cpp              | 47 +++++++++++++++++++++--------------
 fpdfsdk/fpdf_flatten_embeddertest.cpp | 17 +++++++++++++
 2 files changed, 45 insertions(+), 19 deletions(-)

(limited to 'fpdfsdk')

diff --git a/fpdfsdk/fpdf_flatten.cpp b/fpdfsdk/fpdf_flatten.cpp
index 98529c53c8..0cee611144 100644
--- a/fpdfsdk/fpdf_flatten.cpp
+++ b/fpdfsdk/fpdf_flatten.cpp
@@ -167,52 +167,61 @@ CFX_FloatRect CalculateRect(std::vector<CFX_FloatRect>* pRectArray) {
   return rcRet;
 }
 
-CPDF_Object* NewIndirectContentsStream(const ByteString& key,
-                                       CPDF_Document* pDocument) {
+ByteString GenerateFlattenedContent(const ByteString& key) {
+  return "q 1 0 0 1 0 0 cm /" + key + " Do Q";
+}
+
+CPDF_Object* NewIndirectContentsStream(CPDF_Document* pDocument,
+                                       const ByteString& contents) {
   CPDF_Stream* pNewContents = pDocument->NewIndirect<CPDF_Stream>(
       nullptr, 0,
       pdfium::MakeUnique<CPDF_Dictionary>(pDocument->GetByteStringPool()));
-  ByteString sStream =
-      ByteString::Format("q 1 0 0 1 0 0 cm /%s Do Q", key.c_str());
-  pNewContents->SetData(sStream.AsRawSpan());
+  pNewContents->SetData(contents.AsRawSpan());
   return pNewContents;
 }
 
 void SetPageContents(const ByteString& key,
                      CPDF_Dictionary* pPage,
                      CPDF_Document* pDocument) {
-  CPDF_Array* pContentsArray = nullptr;
+  CPDF_Array* pContentsArray =
+      pPage->GetArrayFor(pdfium::page_object::kContents);
   CPDF_Stream* pContentsStream =
       pPage->GetStreamFor(pdfium::page_object::kContents);
-  if (!pContentsStream) {
-    pContentsArray = pPage->GetArrayFor(pdfium::page_object::kContents);
-    if (!pContentsArray) {
-      if (!key.IsEmpty()) {
-        pPage->SetFor(pdfium::page_object::kContents,
-                      NewIndirectContentsStream(key, pDocument)
-                          ->MakeReference(pDocument));
-      }
-      return;
+  if (!pContentsStream && !pContentsArray) {
+    if (!key.IsEmpty()) {
+      pPage->SetFor(
+          pdfium::page_object::kContents,
+          NewIndirectContentsStream(pDocument, GenerateFlattenedContent(key))
+              ->MakeReference(pDocument));
     }
+    return;
   }
+
   pPage->ConvertToIndirectObjectFor(pdfium::page_object::kContents, pDocument);
-  if (!pContentsArray) {
-    pContentsArray = pDocument->NewIndirect<CPDF_Array>();
+  if (pContentsArray) {
+    pContentsArray->InsertAt(
+        0, NewIndirectContentsStream(pDocument, "q")->MakeReference(pDocument));
+    pContentsArray->Add(
+        NewIndirectContentsStream(pDocument, "Q")->MakeReference(pDocument));
+  } else {
     ByteString sStream = "q\n";
     {
       auto pAcc = pdfium::MakeRetain<CPDF_StreamAcc>(pContentsStream);
       pAcc->LoadAllDataFiltered();
-      sStream += ByteString(pAcc->GetData(), pAcc->GetSize());
+      sStream += ByteString(pAcc->GetSpan());
       sStream += "\nQ";
     }
     pContentsStream->SetDataAndRemoveFilter(sStream.AsRawSpan());
+
+    pContentsArray = pDocument->NewIndirect<CPDF_Array>();
     pContentsArray->Add(pContentsStream->MakeReference(pDocument));
     pPage->SetFor(pdfium::page_object::kContents,
                   pContentsArray->MakeReference(pDocument));
   }
   if (!key.IsEmpty()) {
     pContentsArray->Add(
-        NewIndirectContentsStream(key, pDocument)->MakeReference(pDocument));
+        NewIndirectContentsStream(pDocument, GenerateFlattenedContent(key))
+            ->MakeReference(pDocument));
   }
 }
 
diff --git a/fpdfsdk/fpdf_flatten_embeddertest.cpp b/fpdfsdk/fpdf_flatten_embeddertest.cpp
index c861d75711..450c30c730 100644
--- a/fpdfsdk/fpdf_flatten_embeddertest.cpp
+++ b/fpdfsdk/fpdf_flatten_embeddertest.cpp
@@ -54,3 +54,20 @@ TEST_F(FPDFFlattenEmbeddertest, BUG_890322) {
 
   VerifySavedDocument(200, 200, md5_hash);
 }
+
+TEST_F(FPDFFlattenEmbeddertest, BUG_896366) {
+  static const char md5_hash[] = "f71ab085c52c8445ae785eca3ec858b1";
+  EXPECT_TRUE(OpenDocument("bug_896366.pdf"));
+  FPDF_PAGE page = LoadPage(0);
+  ASSERT_TRUE(page);
+
+  ScopedFPDFBitmap bitmap = RenderLoadedPageWithFlags(page, FPDF_ANNOT);
+  CompareBitmap(bitmap.get(), 612, 792, md5_hash);
+
+  EXPECT_EQ(FLATTEN_SUCCESS, FPDFPage_Flatten(page, FLAT_PRINT));
+  EXPECT_TRUE(FPDF_SaveAsCopy(document(), this, 0));
+
+  UnloadPage(page);
+
+  VerifySavedDocument(612, 792, md5_hash);
+}
-- 
cgit v1.2.3