1*4882a593SmuzhiyunFrom cee7cefc610d42fd383b3c80c12cbc675443176a Mon Sep 17 00:00:00 2001 2*4882a593SmuzhiyunFrom: Robin Watts <Robin.Watts@artifex.com> 3*4882a593SmuzhiyunDate: Fri, 22 Jan 2021 17:05:15 +0000 4*4882a593SmuzhiyunSubject: [PATCH] Bug 703366: Fix double free of object during linearization. 5*4882a593Smuzhiyun 6*4882a593SmuzhiyunThis appears to happen because we parse an illegal object from 7*4882a593Smuzhiyuna broken file and assign it to object 0, which is defined to 8*4882a593Smuzhiyunbe free. 9*4882a593Smuzhiyun 10*4882a593SmuzhiyunHere, we fix the parsing code so this can't happen. 11*4882a593Smuzhiyun 12*4882a593Smuzhiyun[Retrieved from: 13*4882a593Smuzhiyunhttp://git.ghostscript.com/?p=mupdf.git;h=cee7cefc610d42fd383b3c80c12cbc675443176a] 14*4882a593SmuzhiyunSigned-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> 15*4882a593Smuzhiyun--- 16*4882a593Smuzhiyun source/pdf/pdf-parse.c | 6 ++++++ 17*4882a593Smuzhiyun source/pdf/pdf-xref.c | 2 ++ 18*4882a593Smuzhiyun 2 files changed, 8 insertions(+) 19*4882a593Smuzhiyun 20*4882a593Smuzhiyundiff --git a/source/pdf/pdf-parse.c b/source/pdf/pdf-parse.c 21*4882a593Smuzhiyunindex 7abc8c3d4..5761c3351 100644 22*4882a593Smuzhiyun--- a/source/pdf/pdf-parse.c 23*4882a593Smuzhiyun+++ b/source/pdf/pdf-parse.c 24*4882a593Smuzhiyun@@ -749,6 +749,12 @@ pdf_parse_ind_obj(fz_context *ctx, pdf_document *doc, 25*4882a593Smuzhiyun fz_throw(ctx, FZ_ERROR_SYNTAX, "expected generation number (%d ? obj)", num); 26*4882a593Smuzhiyun } 27*4882a593Smuzhiyun gen = buf->i; 28*4882a593Smuzhiyun+ if (gen < 0 || gen >= 65536) 29*4882a593Smuzhiyun+ { 30*4882a593Smuzhiyun+ if (try_repair) 31*4882a593Smuzhiyun+ *try_repair = 1; 32*4882a593Smuzhiyun+ fz_throw(ctx, FZ_ERROR_SYNTAX, "invalid generation number (%d)", gen); 33*4882a593Smuzhiyun+ } 34*4882a593Smuzhiyun 35*4882a593Smuzhiyun tok = pdf_lex(ctx, file, buf); 36*4882a593Smuzhiyun if (tok != PDF_TOK_OBJ) 37*4882a593Smuzhiyundiff --git a/source/pdf/pdf-xref.c b/source/pdf/pdf-xref.c 38*4882a593Smuzhiyunindex 1b2bdcd59..30197b4b8 100644 39*4882a593Smuzhiyun--- a/source/pdf/pdf-xref.c 40*4882a593Smuzhiyun+++ b/source/pdf/pdf-xref.c 41*4882a593Smuzhiyun@@ -1190,6 +1190,8 @@ pdf_read_new_xref(fz_context *ctx, pdf_document *doc, pdf_lexbuf *buf) 42*4882a593Smuzhiyun { 43*4882a593Smuzhiyun ofs = fz_tell(ctx, doc->file); 44*4882a593Smuzhiyun trailer = pdf_parse_ind_obj(ctx, doc, doc->file, buf, &num, &gen, &stm_ofs, NULL); 45*4882a593Smuzhiyun+ if (num == 0) 46*4882a593Smuzhiyun+ fz_throw(ctx, FZ_ERROR_GENERIC, "Trailer object number cannot be 0\n"); 47*4882a593Smuzhiyun } 48*4882a593Smuzhiyun fz_catch(ctx) 49*4882a593Smuzhiyun { 50*4882a593Smuzhiyun-- 51*4882a593Smuzhiyun2.17.1 52*4882a593Smuzhiyun 53