36 lines
1.5 KiB
Diff
36 lines
1.5 KiB
Diff
From fa1936405b6a84e5c9bb440912c23d532772f958 Mon Sep 17 00:00:00 2001
|
|
From: Robin Watts <robin.watts@artifex.com>
|
|
Date: Thu, 21 Jul 2016 15:39:11 +0100
|
|
Subject: [PATCH] Bug 696941: Fix use after free.
|
|
|
|
The file is HORRIBLY corrupt, and triggers Sophos to think it's
|
|
PDF malware (which it isn't). It does however trigger a use
|
|
after free, worked around here.
|
|
---
|
|
source/pdf/pdf-xref.c | 10 ++++++++--
|
|
1 file changed, 8 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/source/pdf/pdf-xref.c b/source/pdf/pdf-xref.c
|
|
index 576c315..3222599 100644
|
|
--- source/pdf/pdf-xref.c
|
|
+++ source/pdf/pdf-xref.c
|
|
@@ -1184,8 +1184,14 @@ pdf_load_xref(fz_context *ctx, pdf_document *doc, pdf_lexbuf *buf)
|
|
fz_throw(ctx, FZ_ERROR_GENERIC, "object offset out of range: %d (%d 0 R)", (int)entry->ofs, i);
|
|
}
|
|
if (entry->type == 'o')
|
|
- if (entry->ofs <= 0 || entry->ofs >= xref_len || pdf_get_xref_entry(ctx, doc, entry->ofs)->type != 'n')
|
|
- fz_throw(ctx, FZ_ERROR_GENERIC, "invalid reference to an objstm that does not exist: %d (%d 0 R)", (int)entry->ofs, i);
|
|
+ {
|
|
+ /* Read this into a local variable here, because pdf_get_xref_entry
|
|
+ * may solidify the xref, hence invalidating "entry", meaning we
|
|
+ * need a stashed value for the throw. */
|
|
+ fz_off_t ofs = entry->ofs;
|
|
+ if (ofs <= 0 || ofs >= xref_len || pdf_get_xref_entry(ctx, doc, ofs)->type != 'n')
|
|
+ fz_throw(ctx, FZ_ERROR_GENERIC, "invalid reference to an objstm that does not exist: %d (%d 0 R)", (int)ofs, i);
|
|
+ }
|
|
}
|
|
}
|
|
|
|
--
|
|
2.9.1
|
|
|