46 lines
1.5 KiB
Diff
46 lines
1.5 KiB
Diff
From c2663e51238ec8256da7fc61ad580db891d9fe9a Mon Sep 17 00:00:00 2001
|
|
From: Sebastian Rasmussen <sebras@gmail.com>
|
|
Date: Mon, 25 Sep 2017 13:04:11 +0200
|
|
Subject: [PATCH] Bug 698592: Mark variable fz_var(), avoiding optimization.
|
|
|
|
The change in 2707fa9e8e6d17d794330e719dec1b08161fb045
|
|
in build_filter_chain() allows for the variable chain
|
|
to reside in a register, which means that the bug is
|
|
likely to only be visible if built under optimization.
|
|
|
|
First the chain variable is transferred to chain2, then
|
|
set to NULL, then when an exception occurs in build_filter()
|
|
the filter chain will be freed by build_filter(). Next
|
|
the expectation is that execution proceeds to fz_catch()
|
|
where fz_drop_stream() would be called with chain == NULL.
|
|
|
|
However due to the chain variable residing in a register,
|
|
its value is not NULL as expected, but was reset to its
|
|
original value upon the exception (since they use setjmp()),
|
|
hence fz_drop_stream() is called with a non-NULL value.
|
|
|
|
Marking the chain variable with fz_var() prevents the
|
|
compiler from allowing the chain variable to reside in
|
|
a register and hence its value will remain NULL and
|
|
never be reset.
|
|
---
|
|
source/pdf/pdf-stream.c | 2 ++
|
|
1 file changed, 2 insertions(+)
|
|
|
|
diff --git a/source/pdf/pdf-stream.c b/source/pdf/pdf-stream.c
|
|
index baf9f0a..56592b0 100644
|
|
--- a/source/pdf/pdf-stream.c
|
|
+++ b/source/pdf/pdf-stream.c
|
|
@@ -246,6 +246,8 @@ build_filter_chain(fz_context *ctx, fz_stream *chain, pdf_document *doc, pdf_obj
|
|
pdf_obj *p;
|
|
int i, n;
|
|
|
|
+ fz_var(chain);
|
|
+
|
|
fz_try(ctx)
|
|
{
|
|
n = pdf_array_len(ctx, fs);
|
|
--
|
|
2.9.1
|
|
|