mirror of
https://gitlab.alpinelinux.org/alpine/aports.git
synced 2025-07-24 11:45:18 +03:00
f636832bd4
Patches on github are not stable. The index hashes can change, causing the checksums to mismatch.
45 lines
1.5 KiB
Diff
45 lines
1.5 KiB
Diff
From cee7cefc610d42fd383b3c80c12cbc675443176a Mon Sep 17 00:00:00 2001
|
|
From: Robin Watts <Robin.Watts@artifex.com>
|
|
Date: Fri, 22 Jan 2021 17:05:15 +0000
|
|
Subject: [PATCH] Bug 703366: Fix double free of object during linearization.
|
|
|
|
This appears to happen because we parse an illegal object from
|
|
a broken file and assign it to object 0, which is defined to
|
|
be free.
|
|
|
|
Here, we fix the parsing code so this can't happen.
|
|
---
|
|
source/pdf/pdf-parse.c | 6 ++++++
|
|
source/pdf/pdf-xref.c | 2 ++
|
|
2 files changed, 8 insertions(+)
|
|
|
|
diff --git a/source/pdf/pdf-parse.c b/source/pdf/pdf-parse.c
|
|
index 7abc8c3d41..5761c33517 100644
|
|
--- a/source/pdf/pdf-parse.c
|
|
+++ b/source/pdf/pdf-parse.c
|
|
@@ -749,6 +749,12 @@ pdf_parse_ind_obj(fz_context *ctx, pdf_document *doc,
|
|
fz_throw(ctx, FZ_ERROR_SYNTAX, "expected generation number (%d ? obj)", num);
|
|
}
|
|
gen = buf->i;
|
|
+ if (gen < 0 || gen >= 65536)
|
|
+ {
|
|
+ if (try_repair)
|
|
+ *try_repair = 1;
|
|
+ fz_throw(ctx, FZ_ERROR_SYNTAX, "invalid generation number (%d)", gen);
|
|
+ }
|
|
|
|
tok = pdf_lex(ctx, file, buf);
|
|
if (tok != PDF_TOK_OBJ)
|
|
diff --git a/source/pdf/pdf-xref.c b/source/pdf/pdf-xref.c
|
|
index 1b2bdcd59d..30197b4b85 100644
|
|
--- a/source/pdf/pdf-xref.c
|
|
+++ b/source/pdf/pdf-xref.c
|
|
@@ -1190,6 +1190,8 @@ pdf_read_new_xref(fz_context *ctx, pdf_document *doc, pdf_lexbuf *buf)
|
|
{
|
|
ofs = fz_tell(ctx, doc->file);
|
|
trailer = pdf_parse_ind_obj(ctx, doc, doc->file, buf, &num, &gen, &stm_ofs, NULL);
|
|
+ if (num == 0)
|
|
+ fz_throw(ctx, FZ_ERROR_GENERIC, "Trailer object number cannot be 0\n");
|
|
}
|
|
fz_catch(ctx)
|
|
{
|