From bea0195cecc05008b3120ef753c25c0d8d4abccc Mon Sep 17 00:00:00 2001
From: Miklos Vajna <vmiklos@collabora.co.uk>
Date: Fri, 2 Mar 2018 11:18:21 +0100
Subject: forcepoint #16: fix heap-use-after-free

PDFDocument::Tokenize() in the aKeyword == "obj" case allocates a
PDFObjectElement, stores it as an owning pointer inside rElements, and
also stores two non-owning references to it in m_aOffsetObjects and
m_aIDObjects. So make sure those 2 other containers are also cleared
then elements go away.

LO_TRACE="valgrind" bin/run pdfverify <sample>

doesn't report errors anymore after the fix.

Change-Id: Ie103de3e24a1080257a79e53b994e8536a9597bc
Reviewed-on: https://gerrit.libreoffice.org/50631
Reviewed-by: Michael Stahl <mstahl@redhat.com>
Tested-by: Michael Stahl <mstahl@redhat.com>
---
 vcl/source/filter/ipdf/pdfdocument.cxx | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

(limited to 'vcl/source/filter')

diff --git a/vcl/source/filter/ipdf/pdfdocument.cxx b/vcl/source/filter/ipdf/pdfdocument.cxx
index 11c4519e44cf..a9f78fbe7f8c 100644
--- a/vcl/source/filter/ipdf/pdfdocument.cxx
+++ b/vcl/source/filter/ipdf/pdfdocument.cxx
@@ -1266,8 +1266,10 @@ bool PDFDocument::Read(SvStream& rStream)
         if (pPrev)
             nStartXRef = pPrev->GetValue();
 
-        // Reset state, except object offsets and the edit buffer.
+        // Reset state, except the edit buffer.
         m_aElements.clear();
+        m_aOffsetObjects.clear();
+        m_aIDObjects.clear();
         m_aStartXRefs.clear();
         m_aEOFs.clear();
         m_pTrailer = nullptr;
-- 
cgit v1.2.1