From 6ba8c036e9a2147156a426550d97144d16f4cd02 Mon Sep 17 00:00:00 2001
Message-Id: <6ba8c036e9a2147156a426550d97144d16f4cd02.1518615186.git.mjg@fedoraproject.org>
From: Sebastian Rasmussen <sebras@gmail.com>
Date: Mon, 29 Jan 2018 23:40:19 +0100
Subject: [PATCH] Bug 698908: Resize object use and renumbering lists after
 repair.

Previously repair might end up increasing xref_len, but the lists
were not correspodingly expanded, leading to ASAN complaints.
---
 source/pdf/pdf-write.c | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/source/pdf/pdf-write.c b/source/pdf/pdf-write.c
index 9fcdbf0a..beb49252 100644
--- a/source/pdf/pdf-write.c
+++ b/source/pdf/pdf-write.c
@@ -633,7 +633,8 @@ expand_lists(fz_context *ctx, pdf_write_state *opts, int num)
 {
 	int i;
 
-	num++;
+	/* objects are numbered 0..num and maybe two additional objects for linearization */
+	num += 3;
 	opts->use_list = fz_resize_array(ctx, opts->use_list, num, sizeof(*opts->use_list));
 	opts->ofs_list = fz_resize_array(ctx, opts->ofs_list, num, sizeof(*opts->ofs_list));
 	opts->gen_list = fz_resize_array(ctx, opts->gen_list, num, sizeof(*opts->gen_list));
@@ -1522,9 +1523,9 @@ static void preloadobjstms(fz_context *ctx, pdf_document *doc)
 {
 	pdf_obj *obj;
 	int num;
-	int xref_len = pdf_xref_len(ctx, doc);
 
-	for (num = 0; num < xref_len; num++)
+	/* xref_len may change due to repair, so check it every iteration */
+	for (num = 0; num < pdf_xref_len(ctx, doc); num++)
 	{
 		if (pdf_get_xref_entry(ctx, doc, num)->type == 'o')
 		{
@@ -2755,7 +2756,7 @@ static void initialise_write_state(fz_context *ctx, pdf_document *doc, const pdf
 	opts->continue_on_error = in_opts->continue_on_error;
 	opts->errors = in_opts->errors;
 
-	expand_lists(ctx, opts, xref_len + 3);
+	expand_lists(ctx, opts, xref_len);
 }
 
 /* Free the resources held by the dynamic write options */
@@ -2892,6 +2893,8 @@ do_pdf_save_document(fz_context *ctx, pdf_document *doc, pdf_write_state *opts,
 		{
 			pdf_ensure_solid_xref(ctx, doc, xref_len);
 			preloadobjstms(ctx, doc);
+			xref_len = pdf_xref_len(ctx, doc); /* May have changed due to repair */
+			expand_lists(ctx, opts, xref_len);
 		}
 
 		/* Sweep & mark objects from the trailer */
@@ -2900,6 +2903,7 @@ do_pdf_save_document(fz_context *ctx, pdf_document *doc, pdf_write_state *opts,
 		else
 		{
 			xref_len = pdf_xref_len(ctx, doc); /* May have changed due to repair */
+			expand_lists(ctx, opts, xref_len);
 			for (num = 0; num < xref_len; num++)
 				opts->use_list[num] = 1;
 		}
@@ -2920,6 +2924,7 @@ do_pdf_save_document(fz_context *ctx, pdf_document *doc, pdf_write_state *opts,
 		if ((opts->do_garbage >= 2 || opts->do_linear) && !opts->do_incremental)
 		{
 			xref_len = pdf_xref_len(ctx, doc); /* May have changed due to repair */
+			expand_lists(ctx, opts, xref_len);
 			while (xref_len > 0 && !opts->use_list[xref_len-1])
 				xref_len--;
 		}
-- 
2.16.1.312.g365a692731