diff options
author | Miklos Vajna <vmiklos@collabora.co.uk> | 2018-03-02 11:18:21 +0100 |
---|---|---|
committer | Andras Timar <andras.timar@collabora.com> | 2018-04-07 17:46:33 +0200 |
commit | e653c97e7fa488dd88210d054cc81dc57e62e2b4 (patch) | |
tree | 723be33b7b59bdd2ec5897ac42242df44bb132c2 | |
parent | sw lok: Don't try to open TOC marks in a new window, jump instead. (diff) | |
download | core-e653c97e7fa488dd88210d054cc81dc57e62e2b4.tar.gz core-e653c97e7fa488dd88210d054cc81dc57e62e2b4.zip |
forcepoint #16: fix heap-use-after-free
PDFDocument::Tokenize() in the aKeyword == "obj" case allocates a
PDFObjectElement, stores it as an owning pointer inside rElements, and
also stores two non-owning references to it in m_aOffsetObjects and
m_aIDObjects. So make sure those 2 other containers are also cleared
then elements go away.
LO_TRACE="valgrind" bin/run pdfverify <sample>
doesn't report errors anymore after the fix.
Reviewed-on: https://gerrit.libreoffice.org/50632
Tested-by: Jenkins <ci@libreoffice.org>
Reviewed-by: Caolán McNamara <caolanm@redhat.com>
Tested-by: Caolán McNamara <caolanm@redhat.com>
(cherry picked from commit 506d4cbc2f0dbef6f20f1199efcda805c9901d09)
Change-Id: Ie103de3e24a1080257a79e53b994e8536a9597bc
-rw-r--r-- | vcl/source/filter/ipdf/pdfdocument.cxx | 4 | ||||
-rw-r--r-- | xmlsecurity/qa/unit/pdfsigning/data/forcepoint16.pdf | bin | 0 -> 51200 bytes | |||
-rw-r--r-- | xmlsecurity/qa/unit/pdfsigning/pdfsigning.cxx | 2 |
3 files changed, 5 insertions, 1 deletions
diff --git a/vcl/source/filter/ipdf/pdfdocument.cxx b/vcl/source/filter/ipdf/pdfdocument.cxx index 218d2140c9cc..b2c3a8577469 100644 --- a/vcl/source/filter/ipdf/pdfdocument.cxx +++ b/vcl/source/filter/ipdf/pdfdocument.cxx @@ -1280,8 +1280,10 @@ bool PDFDocument::Read(SvStream& rStream) if (pPrev) nStartXRef = pPrev->GetValue(); - // Reset state, except object offsets and the edit buffer. + // Reset state, except the edit buffer. m_aElements.clear(); + m_aOffsetObjects.clear(); + m_aIDObjects.clear(); m_aStartXRefs.clear(); m_aEOFs.clear(); m_pTrailer = nullptr; diff --git a/xmlsecurity/qa/unit/pdfsigning/data/forcepoint16.pdf b/xmlsecurity/qa/unit/pdfsigning/data/forcepoint16.pdf Binary files differnew file mode 100644 index 000000000000..9edccb47f40c --- /dev/null +++ b/xmlsecurity/qa/unit/pdfsigning/data/forcepoint16.pdf diff --git a/xmlsecurity/qa/unit/pdfsigning/pdfsigning.cxx b/xmlsecurity/qa/unit/pdfsigning/pdfsigning.cxx index b7bca31a6caa..7be3d38e8b3b 100644 --- a/xmlsecurity/qa/unit/pdfsigning/pdfsigning.cxx +++ b/xmlsecurity/qa/unit/pdfsigning/pdfsigning.cxx @@ -416,6 +416,8 @@ void PDFSigningTest::testTokenize() // File that's intentionally smaller than 1024 bytes. OUStringLiteral("small.pdf"), OUStringLiteral("tdf107149.pdf"), + // Valgrind was unhappy about this. + OUStringLiteral("forcepoint16.pdf"), }; for (const auto& rName : aNames) |