[Libreoffice-commits] core.git: Branch 'libreoffice-6-0' - vcl/source xmlsecurity/qa
vcl/source/filter/ipdf/pdfdocument.cxx |4 +++- xmlsecurity/qa/unit/pdfsigning/data/forcepoint16.pdf |binary xmlsecurity/qa/unit/pdfsigning/pdfsigning.cxx|2 ++ 3 files changed, 5 insertions(+), 1 deletion(-) New commits: commit bea0195cecc05008b3120ef753c25c0d8d4abccc Author: Miklos VajnaDate: Fri Mar 2 11:18:21 2018 +0100 forcepoint #16: fix heap-use-after-free PDFDocument::Tokenize() in the aKeyword == "obj" case allocates a PDFObjectElement, stores it as an owning pointer inside rElements, and also stores two non-owning references to it in m_aOffsetObjects and m_aIDObjects. So make sure those 2 other containers are also cleared then elements go away. LO_TRACE="valgrind" bin/run pdfverify doesn't report errors anymore after the fix. Change-Id: Ie103de3e24a1080257a79e53b994e8536a9597bc Reviewed-on: https://gerrit.libreoffice.org/50631 Reviewed-by: Michael Stahl Tested-by: Michael Stahl diff --git a/vcl/source/filter/ipdf/pdfdocument.cxx b/vcl/source/filter/ipdf/pdfdocument.cxx index 11c4519e44cf..a9f78fbe7f8c 100644 --- a/vcl/source/filter/ipdf/pdfdocument.cxx +++ b/vcl/source/filter/ipdf/pdfdocument.cxx @@ -1266,8 +1266,10 @@ bool PDFDocument::Read(SvStream& rStream) if (pPrev) nStartXRef = pPrev->GetValue(); -// Reset state, except object offsets and the edit buffer. +// Reset state, except the edit buffer. m_aElements.clear(); +m_aOffsetObjects.clear(); +m_aIDObjects.clear(); m_aStartXRefs.clear(); m_aEOFs.clear(); m_pTrailer = nullptr; diff --git a/xmlsecurity/qa/unit/pdfsigning/data/forcepoint16.pdf b/xmlsecurity/qa/unit/pdfsigning/data/forcepoint16.pdf new file mode 100644 index ..9edccb47f40c Binary files /dev/null and b/xmlsecurity/qa/unit/pdfsigning/data/forcepoint16.pdf differ diff --git a/xmlsecurity/qa/unit/pdfsigning/pdfsigning.cxx b/xmlsecurity/qa/unit/pdfsigning/pdfsigning.cxx index c989af96f1b3..2a65ae004e43 100644 --- a/xmlsecurity/qa/unit/pdfsigning/pdfsigning.cxx +++ b/xmlsecurity/qa/unit/pdfsigning/pdfsigning.cxx @@ -450,6 +450,8 @@ void PDFSigningTest::testTokenize() "tdf107149.pdf", // Nested parentheses were not handled. "tdf114460.pdf", +// Valgrind was unhappy about this. +"forcepoint16.pdf", }; for (const auto& rName : aNames) ___ Libreoffice-commits mailing list libreoffice-comm...@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/libreoffice-commits
[Libreoffice-commits] core.git: Branch 'libreoffice-6-0' - vcl/source xmlsecurity/qa
vcl/source/filter/ipdf/pdfdocument.cxx|9 + xmlsecurity/qa/unit/pdfsigning/data/tdf114460.pdf |binary xmlsecurity/qa/unit/pdfsigning/pdfsigning.cxx |2 ++ 3 files changed, 11 insertions(+) New commits: commit e45ca13634ba51a6133a231f74db76be06bb4d95 Author: Miklos VajnaDate: Mon Jan 22 22:12:04 2018 +0100 tdf#114460 vcl: handle nested parentheses in PDF roundtrip The roundtrip of the pdf image failed due to this. (cherry picked from commit f58a16d5987c8e8c16580c514ce0c7b0895b4105) Change-Id: I88a9657e242dd2659f9bf06233e5fcbfeb43ceb5 Reviewed-on: https://gerrit.libreoffice.org/48378 Tested-by: Jenkins Reviewed-by: Michael Stahl diff --git a/vcl/source/filter/ipdf/pdfdocument.cxx b/vcl/source/filter/ipdf/pdfdocument.cxx index 56e90cf7adf3..11c4519e44cf 100644 --- a/vcl/source/filter/ipdf/pdfdocument.cxx +++ b/vcl/source/filter/ipdf/pdfdocument.cxx @@ -2021,11 +2021,20 @@ bool PDFLiteralStringElement::Read(SvStream& rStream) nPrevCh = ch; rStream.ReadChar(ch); +// Start with 1 nesting level as we read a '(' above already. +int nDepth = 1; OStringBuffer aBuf; while (!rStream.eof()) { +if (ch == '(' && nPrevCh != '\\') +++nDepth; + if (ch == ')' && nPrevCh != '\\') +--nDepth; + +if (nDepth == 0) { +// ')' of the outermost '(' is reached. m_aValue = aBuf.makeStringAndClear(); SAL_INFO("vcl.filter", "PDFLiteralStringElement::Read: m_aValue is '" << m_aValue << "'"); return true; diff --git a/xmlsecurity/qa/unit/pdfsigning/data/tdf114460.pdf b/xmlsecurity/qa/unit/pdfsigning/data/tdf114460.pdf new file mode 100644 index ..a736e5bb90cd Binary files /dev/null and b/xmlsecurity/qa/unit/pdfsigning/data/tdf114460.pdf differ diff --git a/xmlsecurity/qa/unit/pdfsigning/pdfsigning.cxx b/xmlsecurity/qa/unit/pdfsigning/pdfsigning.cxx index 642a034ae5e1..c989af96f1b3 100644 --- a/xmlsecurity/qa/unit/pdfsigning/pdfsigning.cxx +++ b/xmlsecurity/qa/unit/pdfsigning/pdfsigning.cxx @@ -448,6 +448,8 @@ void PDFSigningTest::testTokenize() // File that's intentionally smaller than 1024 bytes. "small.pdf", "tdf107149.pdf", +// Nested parentheses were not handled. +"tdf114460.pdf", }; for (const auto& rName : aNames) ___ Libreoffice-commits mailing list libreoffice-comm...@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/libreoffice-commits