forcepoint #16: fix heap-use-after-free
PDFDocument::Tokenize() in the aKeyword == "obj" case allocates a
PDFObjectElement, stores it as an owning pointer inside rElements, and
also stores two non-owning references to it in m_aOffsetObjects and
m_aIDObjects. So make sure those 2 other containers are also cleared
then elements go away.
LO_TRACE="valgrind" bin/run pdfverify <sample>
doesn't report errors anymore after the fix.
Change-Id: Ie103de3e24a1080257a79e53b994e8536a9597bc
Reviewed-on: https://gerrit.libreoffice.org/50632
Tested-by: Jenkins <ci@libreoffice.org>
Reviewed-by: Caolán McNamara <caolanm@redhat.com>
Tested-by: Caolán McNamara <caolanm@redhat.com>
diff --git a/vcl/source/filter/ipdf/pdfdocument.cxx b/vcl/source/filter/ipdf/pdfdocument.cxx
index cd6bf46..2c4c928 100644
--- a/vcl/source/filter/ipdf/pdfdocument.cxx
+++ b/vcl/source/filter/ipdf/pdfdocument.cxx
@@ -1281,8 +1281,10 @@ bool PDFDocument::Read(SvStream& rStream)
if (pPrev)
nStartXRef = pPrev->GetValue();
// Reset state, except object offsets and the edit buffer.
// Reset state, except the edit buffer.
m_aElements.clear();
m_aOffsetObjects.clear();
m_aIDObjects.clear();
m_aStartXRefs.clear();
m_aEOFs.clear();
m_pTrailer = nullptr;
diff --git a/xmlsecurity/qa/unit/pdfsigning/data/forcepoint16.pdf b/xmlsecurity/qa/unit/pdfsigning/data/forcepoint16.pdf
new file mode 100644
index 0000000..9edccb47
--- /dev/null
+++ b/xmlsecurity/qa/unit/pdfsigning/data/forcepoint16.pdf
Binary files differ
diff --git a/xmlsecurity/qa/unit/pdfsigning/pdfsigning.cxx b/xmlsecurity/qa/unit/pdfsigning/pdfsigning.cxx
index 08e41df..55289fc 100644
--- a/xmlsecurity/qa/unit/pdfsigning/pdfsigning.cxx
+++ b/xmlsecurity/qa/unit/pdfsigning/pdfsigning.cxx
@@ -418,6 +418,8 @@ void PDFSigningTest::testTokenize()
"tdf107149.pdf",
// Nested parentheses were not handled.
"tdf114460.pdf",
// Valgrind was unhappy about this.
"forcepoint16.pdf",
};
for (const auto& rName : aNames)
