diff options
author | Miklos Vajna <vmiklos@collabora.co.uk> | 2018-03-02 11:18:21 +0100 |
---|---|---|
committer | Miklos Vajna <vmiklos@collabora.co.uk> | 2018-03-02 20:09:21 +0100 |
commit | c8cd02629d0c17c248eae42369fff246f49ae9d7 (patch) | |
tree | aff8d40d1f6f0779b3d6604ea221dc85f4fe5965 /vcl/source | |
parent | f5850c7841e98c9f91076ea0e0b840374766bfca (diff) |
forcepoint #16: fix heap-use-after-free
PDFDocument::Tokenize() in the aKeyword == "obj" case allocates a
PDFObjectElement, stores it as an owning pointer inside rElements, and
also stores two non-owning references to it in m_aOffsetObjects and
m_aIDObjects. So make sure those 2 other containers are also cleared
then elements go away.
LO_TRACE="valgrind" bin/run pdfverify <sample>
doesn't report errors anymore after the fix.
Change-Id: Ie103de3e24a1080257a79e53b994e8536a9597bc
Reviewed-on: https://gerrit.libreoffice.org/50627
Reviewed-by: Miklos Vajna <vmiklos@collabora.co.uk>
Tested-by: Jenkins <ci@libreoffice.org>
Diffstat (limited to 'vcl/source')
-rw-r--r-- | vcl/source/filter/ipdf/pdfdocument.cxx | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/vcl/source/filter/ipdf/pdfdocument.cxx b/vcl/source/filter/ipdf/pdfdocument.cxx index af1eea1f57cf..98b6a2d8a596 100644 --- a/vcl/source/filter/ipdf/pdfdocument.cxx +++ b/vcl/source/filter/ipdf/pdfdocument.cxx @@ -1260,8 +1260,10 @@ bool PDFDocument::Read(SvStream& rStream) if (pPrev) nStartXRef = pPrev->GetValue(); - // Reset state, except object offsets and the edit buffer. + // Reset state, except the edit buffer. m_aElements.clear(); + m_aOffsetObjects.clear(); + m_aIDObjects.clear(); m_aStartXRefs.clear(); m_aEOFs.clear(); m_pTrailer = nullptr; |