File r1882-Correction-for-reverted-part-of-CVE-2017-... of Package podofo.35912

Overview Repositories Revisions Requests Users Attributes Meta

File r1882-Correction-for-reverted-part-of-CVE-2017-8054-fix.patch of Package podofo.35912

------------------------------------------------------------------------
r1882 | mabri | 2018-02-08 00:52:52 +0100 (jue, 08 feb 2018) | 9 lines

Patch by Matthias Brinke: Correction for reverted part of his CVE-2017-5084 fix

The first entry of the array held by rVar is now used for copy-initializing
another (stack-allocated, so it'll be freed when no longer needed) PdfVariant
whose array is copied in the next line via the PdfVariant assignment operator.
This avoids use-after-free in the latter: trying to copy the first array entry
after it was freed by PdfVariant::Clear() called in there, found by zyx, thanks.

Index: src/doc/PdfPagesTree.cpp
===================================================================
--- src/doc/PdfPagesTree.cpp	(revision 1881)
+++ src/doc/PdfPagesTree.cpp	(revision 1882)
@@ -479,7 +479,18 @@
         if( rVar.IsArray() ) 
         {
             // Fixes some broken PDFs who have trees with 1 element kids arrays
-            return GetPageNodeFromArray( 0, rVar.GetArray(), rLstParents );
+            // Recursive call removed to prevent stack overflow, replaced by:
+            // all the following inside this conditional, plus restart looping
+            const PdfArray & rVarArray = rVar.GetArray();
+            if (rVarArray.GetSize() == 0)
+            {
+                PdfError::LogMessage( eLogSeverity_Critical, "Trying to access"
+                    " first page index of empty array" );
+                return NULL;
+            }
+            PdfVariant rVarFirstEntry = rVarArray[0]; // avoids use-after-free
+            rVar = rVarFirstEntry; // in this line (rVar-ref'd array is freed)
+            continue;
         }
         else if( !rVar.IsReference() )
         {

------------------------------------------------------------------------

Places

File r1882-Correction-for-reverted-part-of-CVE-2017-8054-fix.patch of Package podofo.35912

Places