summaryrefslogtreecommitdiff
path: root/vcl/source
diff options
context:
space:
mode:
authorMiklos Vajna <vmiklos@collabora.co.uk>2018-03-02 11:18:21 +0100
committerMichael Stahl <mstahl@redhat.com>2018-03-02 15:31:41 +0100
commitbea0195cecc05008b3120ef753c25c0d8d4abccc (patch)
tree8d8445860b4a0a1ccea6abe9c36c8d45abdd8c52 /vcl/source
parent7a7116f2f570eb2d3bdc681a357046391efe9857 (diff)
forcepoint #16: fix heap-use-after-free
PDFDocument::Tokenize() in the aKeyword == "obj" case allocates a PDFObjectElement, stores it as an owning pointer inside rElements, and also stores two non-owning references to it in m_aOffsetObjects and m_aIDObjects. So make sure those 2 other containers are also cleared then elements go away. LO_TRACE="valgrind" bin/run pdfverify <sample> doesn't report errors anymore after the fix. Change-Id: Ie103de3e24a1080257a79e53b994e8536a9597bc Reviewed-on: https://gerrit.libreoffice.org/50631 Reviewed-by: Michael Stahl <mstahl@redhat.com> Tested-by: Michael Stahl <mstahl@redhat.com>
Diffstat (limited to 'vcl/source')
-rw-r--r--vcl/source/filter/ipdf/pdfdocument.cxx4
1 files changed, 3 insertions, 1 deletions
diff --git a/vcl/source/filter/ipdf/pdfdocument.cxx b/vcl/source/filter/ipdf/pdfdocument.cxx
index 11c4519e44cf..a9f78fbe7f8c 100644
--- a/vcl/source/filter/ipdf/pdfdocument.cxx
+++ b/vcl/source/filter/ipdf/pdfdocument.cxx
@@ -1266,8 +1266,10 @@ bool PDFDocument::Read(SvStream& rStream)
if (pPrev)
nStartXRef = pPrev->GetValue();
- // Reset state, except object offsets and the edit buffer.
+ // Reset state, except the edit buffer.
m_aElements.clear();
+ m_aOffsetObjects.clear();
+ m_aIDObjects.clear();
m_aStartXRefs.clear();
m_aEOFs.clear();
m_pTrailer = nullptr;