File CVE-2018-6544.patch of Package mupdf.7788

Index: mupdf-1.12.0-source/source/pdf/pdf-stream.c
===================================================================
--- mupdf-1.12.0-source.orig/source/pdf/pdf-stream.c
+++ mupdf-1.12.0-source/source/pdf/pdf-stream.c
@@ -303,14 +303,13 @@ pdf_open_raw_filter(fz_context *ctx, fz_
 		*orig_gen = 0;
 	}
 
-	fz_var(chain);
+	chain = fz_keep_stream(ctx, chain);
 
 	fz_try(ctx)
 	{
 		len = pdf_to_int(ctx, pdf_dict_get(ctx, stmobj, PDF_NAME_Length));
 
-		/* don't close chain when we close this filter */
-		chain2 = fz_keep_stream(ctx, chain);
+		chain2 = chain;
 		chain = NULL;
 		chain = fz_open_null(ctx, chain2, len, offset);
 
Index: mupdf-1.12.0-source/source/pdf/pdf-xref.c
===================================================================
--- mupdf-1.12.0-source.orig/source/pdf/pdf-xref.c
+++ mupdf-1.12.0-source/source/pdf/pdf-xref.c
@@ -1595,6 +1595,19 @@ pdf_load_obj_stm(fz_context *ctx, pdf_do
 	{
 		objstm = pdf_load_object(ctx, doc, num);
 
+		if (pdf_obj_marked(ctx, objstm))
+			fz_throw(ctx, FZ_ERROR_GENERIC, "recursive object stream lookup");
+	}
+	fz_catch(ctx)
+	{
+		pdf_drop_obj(ctx, objstm);
+		fz_rethrow(ctx);
+	}
+
+	fz_try(ctx)
+	{
+		pdf_mark_obj(ctx, objstm);
+
 		count = pdf_to_int(ctx, pdf_dict_get(ctx, objstm, PDF_NAME_N));
 		first = pdf_to_int(ctx, pdf_dict_get(ctx, objstm, PDF_NAME_First));
 
@@ -1674,6 +1687,7 @@ pdf_load_obj_stm(fz_context *ctx, pdf_do
 		fz_drop_stream(ctx, stm);
 		fz_free(ctx, ofsbuf);
 		fz_free(ctx, numbuf);
+		pdf_unmark_obj(ctx, objstm);
 		pdf_drop_obj(ctx, objstm);
 	}
 	fz_catch(ctx)
Places

File CVE-2018-6544.patch of Package mupdf.7788

Places
