diff options
Diffstat (limited to 'testing/mupdf/CVE-2016-6265.patch')
-rw-r--r-- | testing/mupdf/CVE-2016-6265.patch | 33 |
1 files changed, 0 insertions, 33 deletions
diff --git a/testing/mupdf/CVE-2016-6265.patch b/testing/mupdf/CVE-2016-6265.patch deleted file mode 100644 index 5053aa3ef1..0000000000 --- a/testing/mupdf/CVE-2016-6265.patch +++ /dev/null @@ -1,33 +0,0 @@ -From: Robin Watts <robin.watts@artifex.com> -Date: Thu, 21 Jul 2016 14:39:11 +0000 (+0100) -Subject: Bug 696941: Fix use after free. -X-Git-Url: http://git.ghostscript.com/?p=mupdf.git;a=commitdiff_plain;h=fa1936405b6a84e5c9bb440912c23d532772f958;hp=e98091d56afdf1cf6c9a017fa0bd35dd0b8968f0 - -Bug 696941: Fix use after free. - -The file is HORRIBLY corrupt, and triggers Sophos to think it's -PDF malware (which it isn't). It does however trigger a use -after free, worked around here. ---- - -diff --git a/source/pdf/pdf-xref.c b/source/pdf/pdf-xref.c -index 576c315..3222599 100644 ---- a/source/pdf/pdf-xref.c -+++ b/source/pdf/pdf-xref.c -@@ -1184,8 +1184,14 @@ pdf_load_xref(fz_context *ctx, pdf_document *doc, pdf_lexbuf *buf) - fz_throw(ctx, FZ_ERROR_GENERIC, "object offset out of range: %d (%d 0 R)", (int)entry->ofs, i); - } - if (entry->type == 'o') -- if (entry->ofs <= 0 || entry->ofs >= xref_len || pdf_get_xref_entry(ctx, doc, entry->ofs)->type != 'n') -- fz_throw(ctx, FZ_ERROR_GENERIC, "invalid reference to an objstm that does not exist: %d (%d 0 R)", (int)entry->ofs, i); -+ { -+ /* Read this into a local variable here, because pdf_get_xref_entry -+ * may solidify the xref, hence invalidating "entry", meaning we -+ * need a stashed value for the throw. */ -+ fz_off_t ofs = entry->ofs; -+ if (ofs <= 0 || ofs >= xref_len || pdf_get_xref_entry(ctx, doc, ofs)->type != 'n') -+ fz_throw(ctx, FZ_ERROR_GENERIC, "invalid reference to an objstm that does not exist: %d (%d 0 R)", (int)ofs, i); -+ } - } - } - |