File 0027-Correction-for-reverted-part-of-CVE-2017-8054-fix-in-0027.patch of Package podofo

Subject: Patch by Matthias Brinke: Correction for reverted part of his CVE-2017-5084 fix
Url: https://sourceforge.net/p/podofo/code/1882/

The first entry of the array held by rVar is now used for copy-initializing
another (stack-allocated, so it'll be freed when no longer needed) PdfVariant
whose array is copied in the next line via the PdfVariant assignment operator.
This avoids use-after-free in the latter: trying to copy the first array entry
after it was freed by PdfVariant::Clear() called in there, found by zyx, thanks.

--- a/podofo/trunk/src/doc/PdfPagesTree.cpp
+++ b/podofo/trunk/src/doc/PdfPagesTree.cpp
@@ -479,7 +479,18 @@
         if( rVar.IsArray() ) 
         {
             // Fixes some broken PDFs who have trees with 1 element kids arrays
-            return GetPageNodeFromArray( 0, rVar.GetArray(), rLstParents );
+            // Recursive call removed to prevent stack overflow, replaced by:
+            // all the following inside this conditional, plus restart looping
+            const PdfArray & rVarArray = rVar.GetArray();
+            if (rVarArray.GetSize() == 0)
+            {
+                PdfError::LogMessage( eLogSeverity_Critical, "Trying to access"
+                    " first page index of empty array" );
+                return NULL;
+            }
+            PdfVariant rVarFirstEntry = rVarArray[0]; // avoids use-after-free
+            rVar = rVarFirstEntry; // in this line (rVar-ref'd array is freed)
+            continue;
         }
         else if( !rVar.IsReference() )
         {