Created attachment 12809 [details] reproducer Hello, there is an use-after-free in pdf_to_num triggered from a crafted file. I'm attaching: 1) The reproducer; 2) The stacktrace provided by Address Sanitizer;
Created attachment 12810 [details] stacktrace
The command to reproduce the issue is: # mutool info $REPRODUCER
Fixed in: commit 1e03c06456d997435019fb3526fa2d4be7dbc6ec Author: Robin Watts <robin.watts@artifex.com> Date: Thu Sep 22 13:44:45 2016 +0100 Bug 697015: Avoid object references vanishing during repair. A PDF repair can be triggered 'just in time', when we encounter a problem in the file. The idea is that this can happen without the enclosing code being aware of it. Thus the enclosing code may be holding 'borrowed' references (such as those returned by pdf_dict_get()) at the time when the repair is triggered. We are therefore at pains to ensure that the repair does not replace any objects that exist already, so that the calling code will not have these references unexpectedly invalidated. The sole exception to this is when we replace the 'Length' fields in stream dictionaries with the actual lengths. Bug 697015 shows exactly this situation causing a reference to become invalid. The solution implemented here is to add an 'orphan list' to the document, where we put these (hopefully few, small) objects. These orphans are kept around until the document is closed. Thanks!
*** Bug 697019 has been marked as a duplicate of this bug. ***