[Libreoffice-commits] core.git: Branch 'libreoffice-6-0' - vcl/source xmlsecurity/qa

Miklos Vajna vmiklos at collabora.co.uk
Fri Mar 2 14:32:09 UTC 2018 

 vcl/source/filter/ipdf/pdfdocument.cxx               |    4 +++-
 xmlsecurity/qa/unit/pdfsigning/data/forcepoint16.pdf |binary
 xmlsecurity/qa/unit/pdfsigning/pdfsigning.cxx        |    2 ++
 3 files changed, 5 insertions(+), 1 deletion(-)

New commits:
commit bea0195cecc05008b3120ef753c25c0d8d4abccc
Author: Miklos Vajna <vmiklos at collabora.co.uk>
Date:   Fri Mar 2 11:18:21 2018 +0100

    forcepoint #16: fix heap-use-after-free
    
    PDFDocument::Tokenize() in the aKeyword == "obj" case allocates a
    PDFObjectElement, stores it as an owning pointer inside rElements, and
    also stores two non-owning references to it in m_aOffsetObjects and
    m_aIDObjects. So make sure those 2 other containers are also cleared
    then elements go away.
    
    LO_TRACE="valgrind" bin/run pdfverify <sample>
    
    doesn't report errors anymore after the fix.
    
    Change-Id: Ie103de3e24a1080257a79e53b994e8536a9597bc
    Reviewed-on: https://gerrit.libreoffice.org/50631
    Reviewed-by: Michael Stahl <mstahl at redhat.com>
    Tested-by: Michael Stahl <mstahl at redhat.com>

diff --git a/vcl/source/filter/ipdf/pdfdocument.cxx b/vcl/source/filter/ipdf/pdfdocument.cxx
index 11c4519e44cf..a9f78fbe7f8c 100644
--- a/vcl/source/filter/ipdf/pdfdocument.cxx
+++ b/vcl/source/filter/ipdf/pdfdocument.cxx
@@ -1266,8 +1266,10 @@ bool PDFDocument::Read(SvStream& rStream)
         if (pPrev)
             nStartXRef = pPrev->GetValue();
 
-        // Reset state, except object offsets and the edit buffer.
+        // Reset state, except the edit buffer.
         m_aElements.clear();
+        m_aOffsetObjects.clear();
+        m_aIDObjects.clear();
         m_aStartXRefs.clear();
         m_aEOFs.clear();
         m_pTrailer = nullptr;
diff --git a/xmlsecurity/qa/unit/pdfsigning/data/forcepoint16.pdf b/xmlsecurity/qa/unit/pdfsigning/data/forcepoint16.pdf
new file mode 100644
index 000000000000..9edccb47f40c
Binary files /dev/null and b/xmlsecurity/qa/unit/pdfsigning/data/forcepoint16.pdf differ
diff --git a/xmlsecurity/qa/unit/pdfsigning/pdfsigning.cxx b/xmlsecurity/qa/unit/pdfsigning/pdfsigning.cxx
index c989af96f1b3..2a65ae004e43 100644
--- a/xmlsecurity/qa/unit/pdfsigning/pdfsigning.cxx
+++ b/xmlsecurity/qa/unit/pdfsigning/pdfsigning.cxx
@@ -450,6 +450,8 @@ void PDFSigningTest::testTokenize()
         "tdf107149.pdf",
         // Nested parentheses were not handled.
         "tdf114460.pdf",
+        // Valgrind was unhappy about this.
+        "forcepoint16.pdf",
     };
 
     for (const auto& rName : aNames)

More information about the Libreoffice-commits mailing list