[Libreoffice-commits] core.git: Branch 'libreoffice-5-4' - vcl/source xmlsecurity/qa

Miklos Vajna vmiklos at collabora.co.uk
Fri Mar 2 14:09:13 UTC 2018


 vcl/source/filter/ipdf/pdfdocument.cxx               |    4 +++-
 xmlsecurity/qa/unit/pdfsigning/data/forcepoint16.pdf |binary
 xmlsecurity/qa/unit/pdfsigning/pdfsigning.cxx        |    2 ++
 3 files changed, 5 insertions(+), 1 deletion(-)

New commits:
commit 506d4cbc2f0dbef6f20f1199efcda805c9901d09
Author: Miklos Vajna <vmiklos at collabora.co.uk>
Date:   Fri Mar 2 11:18:21 2018 +0100

    forcepoint #16: fix heap-use-after-free
    
    PDFDocument::Tokenize() in the aKeyword == "obj" case allocates a
    PDFObjectElement, stores it as an owning pointer inside rElements, and
    also stores two non-owning references to it in m_aOffsetObjects and
    m_aIDObjects. So make sure those 2 other containers are also cleared
    then elements go away.
    
    LO_TRACE="valgrind" bin/run pdfverify <sample>
    
    doesn't report errors anymore after the fix.
    
    Change-Id: Ie103de3e24a1080257a79e53b994e8536a9597bc
    Reviewed-on: https://gerrit.libreoffice.org/50632
    Tested-by: Jenkins <ci at libreoffice.org>
    Reviewed-by: Caolán McNamara <caolanm at redhat.com>
    Tested-by: Caolán McNamara <caolanm at redhat.com>

diff --git a/vcl/source/filter/ipdf/pdfdocument.cxx b/vcl/source/filter/ipdf/pdfdocument.cxx
index cd6bf4659b87..2c4c9288a32c 100644
--- a/vcl/source/filter/ipdf/pdfdocument.cxx
+++ b/vcl/source/filter/ipdf/pdfdocument.cxx
@@ -1281,8 +1281,10 @@ bool PDFDocument::Read(SvStream& rStream)
         if (pPrev)
             nStartXRef = pPrev->GetValue();
 
-        // Reset state, except object offsets and the edit buffer.
+        // Reset state, except the edit buffer.
         m_aElements.clear();
+        m_aOffsetObjects.clear();
+        m_aIDObjects.clear();
         m_aStartXRefs.clear();
         m_aEOFs.clear();
         m_pTrailer = nullptr;
diff --git a/xmlsecurity/qa/unit/pdfsigning/data/forcepoint16.pdf b/xmlsecurity/qa/unit/pdfsigning/data/forcepoint16.pdf
new file mode 100644
index 000000000000..9edccb47f40c
Binary files /dev/null and b/xmlsecurity/qa/unit/pdfsigning/data/forcepoint16.pdf differ
diff --git a/xmlsecurity/qa/unit/pdfsigning/pdfsigning.cxx b/xmlsecurity/qa/unit/pdfsigning/pdfsigning.cxx
index 08e41dfc997e..55289fc05176 100644
--- a/xmlsecurity/qa/unit/pdfsigning/pdfsigning.cxx
+++ b/xmlsecurity/qa/unit/pdfsigning/pdfsigning.cxx
@@ -418,6 +418,8 @@ void PDFSigningTest::testTokenize()
         "tdf107149.pdf",
         // Nested parentheses were not handled.
         "tdf114460.pdf",
+        // Valgrind was unhappy about this.
+        "forcepoint16.pdf",
     };
 
     for (const auto& rName : aNames)


More information about the Libreoffice-commits mailing list