diff options
| author | Chris Liddell <chris.liddell@artifex.com> | 2022-01-12 11:08:36 +0000 |
|---|---|---|
| committer | Chris Liddell <chris.liddell@artifex.com> | 2022-01-12 16:54:22 +0000 |
| commit | 4affbf8fe0e5982058c498a33689cc5182eab0ed (patch) | |
| tree | 6f373fff9b69bc93fef80d445202bf7b5907ef13 /pdf/pdf_text.c | |
| parent | b98c81c443fc9ea7c6351eff306da74765d2581e (diff) | |
| download | ghostpdl-4affbf8fe0e5982058c498a33689cc5182eab0ed.tar.gz | |
oss-fuzz 42998: Drawing text: don't rely on the stack reference
for the string operand.
We were relying on the operand stack reference for the string object to remain
valid for the duration of the text drawing operation, but this is not sure to
be the case. If a pdfi error occurs during the text drawing it can cause the
entire stack to be cleared. Thus we need to a "local", counted reference to the
string, so the object remains valid until we're finished with it.
Diffstat (limited to 'pdf/pdf_text.c')
| -rw-r--r-- | pdf/pdf_text.c | 11 |
1 files changed, 9 insertions, 2 deletions
diff --git a/pdf/pdf_text.c b/pdf/pdf_text.c index 819035315..d8296bed0 100644 --- a/pdf/pdf_text.c +++ b/pdf/pdf_text.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2018-2021 Artifex Software, Inc. +/* Copyright (C) 2018-2022 Artifex Software, Inc. All Rights Reserved. This software is provided AS-IS with no warranty, either express or @@ -1081,6 +1081,13 @@ int pdfi_Tj(pdf_context *ctx) if (s->type != PDF_STRING) return_error(gs_error_typecheck); + /* We can't rely on the stack reference because an error during + the text operation (i.e. retrieving objects for glyph metrics + may cause the stack to be cleared. + */ + pdfi_countup(s); + pdfi_pop(ctx, 1); + /* Save the CTM for later restoration */ saved = ctm_only(ctx->pgs); gs_currentpoint(ctx->pgs, &initial_point); @@ -1155,7 +1162,7 @@ Tj_error: ctx->pgs->line_params.half_width = linewidth; exit: - pdfi_pop(ctx, 1); + pdfi_countdown(s); return code; } |