vcl/source/filter/ipdf/pdfdocument.cxx | 4 +++- xmlsecurity/qa/unit/pdfsigning/data/forcepoint16.pdf |binary xmlsecurity/qa/unit/pdfsigning/pdfsigning.cxx | 2 ++ 3 files changed, 5 insertions(+), 1 deletion(-)
New commits: commit 506d4cbc2f0dbef6f20f1199efcda805c9901d09 Author: Miklos Vajna <[email protected]> Date: Fri Mar 2 11:18:21 2018 +0100 forcepoint #16: fix heap-use-after-free PDFDocument::Tokenize() in the aKeyword == "obj" case allocates a PDFObjectElement, stores it as an owning pointer inside rElements, and also stores two non-owning references to it in m_aOffsetObjects and m_aIDObjects. So make sure those 2 other containers are also cleared then elements go away. LO_TRACE="valgrind" bin/run pdfverify <sample> doesn't report errors anymore after the fix. Change-Id: Ie103de3e24a1080257a79e53b994e8536a9597bc Reviewed-on: https://gerrit.libreoffice.org/50632 Tested-by: Jenkins <[email protected]> Reviewed-by: Caolán McNamara <[email protected]> Tested-by: Caolán McNamara <[email protected]> diff --git a/vcl/source/filter/ipdf/pdfdocument.cxx b/vcl/source/filter/ipdf/pdfdocument.cxx index cd6bf4659b87..2c4c9288a32c 100644 --- a/vcl/source/filter/ipdf/pdfdocument.cxx +++ b/vcl/source/filter/ipdf/pdfdocument.cxx @@ -1281,8 +1281,10 @@ bool PDFDocument::Read(SvStream& rStream) if (pPrev) nStartXRef = pPrev->GetValue(); - // Reset state, except object offsets and the edit buffer. + // Reset state, except the edit buffer. m_aElements.clear(); + m_aOffsetObjects.clear(); + m_aIDObjects.clear(); m_aStartXRefs.clear(); m_aEOFs.clear(); m_pTrailer = nullptr; diff --git a/xmlsecurity/qa/unit/pdfsigning/data/forcepoint16.pdf b/xmlsecurity/qa/unit/pdfsigning/data/forcepoint16.pdf new file mode 100644 index 000000000000..9edccb47f40c Binary files /dev/null and b/xmlsecurity/qa/unit/pdfsigning/data/forcepoint16.pdf differ diff --git a/xmlsecurity/qa/unit/pdfsigning/pdfsigning.cxx b/xmlsecurity/qa/unit/pdfsigning/pdfsigning.cxx index 08e41dfc997e..55289fc05176 100644 --- a/xmlsecurity/qa/unit/pdfsigning/pdfsigning.cxx +++ b/xmlsecurity/qa/unit/pdfsigning/pdfsigning.cxx @@ -418,6 +418,8 @@ void PDFSigningTest::testTokenize() "tdf107149.pdf", // Nested parentheses were not handled. "tdf114460.pdf", + // Valgrind was unhappy about this. + "forcepoint16.pdf", }; for (const auto& rName : aNames) _______________________________________________ Libreoffice-commits mailing list [email protected] https://lists.freedesktop.org/mailman/listinfo/libreoffice-commits
