Commit 0e6c3ff9 authored by Albert Astals Cid's avatar Albert Astals Cid
Browse files

Check obj1 is a stream before getting the stream

It seems we already did this check a few lines above, and indeed we did,
but on very broken documents, if arr[1] is a Ref, getting objects may
end up in a reconstruct xref call which may end up changing the type of
arr[1] the next time we ask for it

oss-fuzz/29260
parent 3ac779d9
Pipeline #251404 passed with stage
in 6 minutes and 52 seconds
......@@ -16,7 +16,7 @@
// Copyright (C) 2005 Kristian Høgsberg <krh@redhat.com>
// Copyright (C) 2006, 2007 Jeff Muizelaar <jeff@infidigm.net>
// Copyright (C) 2006, 2010 Carlos Garcia Campos <carlosgc@gnome.org>
// Copyright (C) 2006-2020 Albert Astals Cid <aacid@kde.org>
// Copyright (C) 2006-2021 Albert Astals Cid <aacid@kde.org>
// Copyright (C) 2009, 2012 Koji Otani <sho@bbr.jp>
// Copyright (C) 2009, 2011-2016, 2020 Thomas Freitag <Thomas.Freitag@alfa.de>
// Copyright (C) 2009, 2019 Christian Persch <chpe@gnome.org>
......@@ -1713,6 +1713,10 @@ GfxColorSpace *GfxICCBasedColorSpace::parse(Array *arr, OutputDev *out, GfxState
#ifdef USE_CMS
obj1 = arr->get(1);
if (!obj1.isStream()) {
error(errSyntaxWarning, -1, "Bad ICCBased color space (stream)");
return nullptr;
}
unsigned char *profBuf;
Stream *iccStream = obj1.getStream();
int length = 0;
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment