File 0002-Bug-702253-Avoid-a-use-after-free-in-fz_dr... of Package mupdf

Overview Repositories Revisions Requests Users Attributes Meta

File 0002-Bug-702253-Avoid-a-use-after-free-in-fz_drop_band_wr.patch of Package mupdf

From f371fbd5d35cb60e9673ed359431bf8c07e81e22 Mon Sep 17 00:00:00 2001
From: theshoals <theshoals@users.noreply.github.com>
Date: Mon, 4 May 2020 03:33:40 -0400
Subject: [PATCH 2/2] Bug 702253: Avoid a use-after-free in fz_drop_band_writer

A use-after-free would occur when a valid page was followed by
a page with invalid pixmap dimensions, causing bander --
a static -- to point to previously freed memory instead of a new
band_writer.

(cherry picked from commit 96751b25462f83d6e16a9afaf8980b0c3f979c8b)
---
 source/tools/mudraw.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/source/tools/mudraw.c b/source/tools/mudraw.c
index ccae16a2e..09c9f4bc8 100644
--- a/source/tools/mudraw.c
+++ b/source/tools/mudraw.c
@@ -924,7 +924,14 @@ static void dodrawpage(fz_context *ctx, fz_page *page, fz_display_list *list, in
 		fz_always(ctx)
 		{
 			if (output_format != OUT_PCLM)
+			{
 				fz_drop_band_writer(ctx, bander);
+				/* bander must be set to NULL to avoid use-after-frees. A use-after-free
+				 * would occur when a valid page was followed by a page with invalid
+				 * pixmap dimensions, causing bander -- a static -- to point to previously
+				 * freed memory instead of a new band_writer. */
+				bander = NULL;
+			}
 			fz_drop_bitmap(ctx, bit);
 			bit = NULL;
 			if (num_workers > 0)
-- 
2.31.1

Places

File 0002-Bug-702253-Avoid-a-use-after-free-in-fz_drop_band_wr.patch of Package mupdf

Places