diff options
author | Robin Watts <Robin.Watts@artifex.com> | 2023-04-05 13:44:28 +0100 |
---|---|---|
committer | Robin Watts <Robin.Watts@artifex.com> | 2023-04-05 18:00:49 +0100 |
commit | 38af36ec272280bebd503d9b0419e27e5b9a239c (patch) | |
tree | 8c0bcbd26f5bb3ef08f92d23f32c479c52535c4f /gpdl | |
parent | 552f078788a5c91d2ae5f8114f63eb05f6b30bea (diff) | |
download | ghostpdl-38af36ec272280bebd503d9b0419e27e5b9a239c.tar.gz |
Bug 706539: Fix crash seen when decoding 2 tiffs in a row.
After decoding the first tiff, we free the buffer used to
hold the tiff, but forgot to reset the size of the buffer.
This meant that on trying to read the second tiff, we'd
attempt to use an empty buffer, and crash.
Diffstat (limited to 'gpdl')
-rw-r--r-- | gpdl/tifftop.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/gpdl/tifftop.c b/gpdl/tifftop.c index 49f4a7dc9..7bba78490 100644 --- a/gpdl/tifftop.c +++ b/gpdl/tifftop.c @@ -249,6 +249,7 @@ tiff_impl_init_job(pl_interp_implementation_t *impl, tiff->dev = device; tiff->state = ii_state_identifying; + tiff->buffer_full = 0; return 0; } @@ -1187,6 +1188,8 @@ fail_decode: if (tiff->tiff_buffer) { gs_free_object(tiff->memory, tiff->tiff_buffer, "tiff_impl_process(tiff_buffer)"); tiff->tiff_buffer = NULL; + tiff->buffer_max = 0; + tiff->buffer_full = 0; } /* We want to bin any data we get up to, but not including * a UEL. */ |