Overview

File CVE-2018-6187.patch of Package mupdf

X-Git-Url: http://git.ghostscript.com/?p=mupdf.git;a=blobdiff_plain;f=source%2Fpdf%2Fpdf-write.c;h=bc67f003025516c04991758ea648f79d00926742;hp=a7326a173a09df3fd4e3adbf3e1842081b6dfea4;hb=3e30fbb7bf5efd88df431e366492356e7eb969ec;hpb=b03def134988da8c800adac1a38a41a1f09a1d89

Index: mupdf-1.12.0-source/source/pdf/pdf-write.c
===================================================================
--- mupdf-1.12.0-source.orig/source/pdf/pdf-write.c
+++ mupdf-1.12.0-source/source/pdf/pdf-write.c
@@ -633,7 +633,8 @@ expand_lists(fz_context *ctx, pdf_write_
 {
 	int i;
 
-	num++;
+	/* objects are numbered 0..num and maybe two additional objects for linearization */
+	num += 3;
 	opts->use_list = fz_resize_array(ctx, opts->use_list, num, sizeof(*opts->use_list));
 	opts->ofs_list = fz_resize_array(ctx, opts->ofs_list, num, sizeof(*opts->ofs_list));
 	opts->gen_list = fz_resize_array(ctx, opts->gen_list, num, sizeof(*opts->gen_list));
@@ -1522,9 +1523,9 @@ static void preloadobjstms(fz_context *c
 {
 	pdf_obj *obj;
 	int num;
-	int xref_len = pdf_xref_len(ctx, doc);
 
-	for (num = 0; num < xref_len; num++)
+	/* xref_len may change due to repair, so check it every iteration */
+	for (num = 0; num < pdf_xref_len(ctx, doc); num++)
 	{
 		if (pdf_get_xref_entry(ctx, doc, num)->type == 'o')
 		{
@@ -2755,7 +2756,7 @@ static void initialise_write_state(fz_co
 	opts->continue_on_error = in_opts->continue_on_error;
 	opts->errors = in_opts->errors;
 
-	expand_lists(ctx, opts, xref_len + 3);
+	expand_lists(ctx, opts, xref_len);
 }
 
 /* Free the resources held by the dynamic write options */
@@ -2889,6 +2890,9 @@ do_pdf_save_document(fz_context *ctx, pd
 		{
 			pdf_ensure_solid_xref(ctx, doc, xref_len);
 			preloadobjstms(ctx, doc);
+
+			xref_len = pdf_xref_len(ctx, doc); /* May have changed due to repair */
+			expand_lists(ctx, opts, xref_len);
 		}
 
 		/* Sweep & mark objects from the trailer */
@@ -2897,6 +2901,7 @@ do_pdf_save_document(fz_context *ctx, pd
 		else
 		{
 			xref_len = pdf_xref_len(ctx, doc); /* May have changed due to repair */
+			expand_lists(ctx, opts, xref_len);
 			for (num = 0; num < xref_len; num++)
 				opts->use_list[num] = 1;
 		}
@@ -2917,6 +2922,7 @@ do_pdf_save_document(fz_context *ctx, pd
 		if ((opts->do_garbage >= 2 || opts->do_linear) && !opts->do_incremental)
 		{
 			xref_len = pdf_xref_len(ctx, doc); /* May have changed due to repair */
+			expand_lists(ctx, opts, xref_len);
 			while (xref_len > 0 && !opts->use_list[xref_len-1])
 				xref_len--;
 		}
openSUSE Build Service is sponsored by
Places