diff options
| author | Ken Sharp <ken.sharp@artifex.com> | 2022-08-10 08:19:15 +0100 |
|---|---|---|
| committer | Ken Sharp <ken.sharp@artifex.com> | 2022-08-10 08:45:16 +0100 |
| commit | 941c74b068dc50c89881f1092b409f8dbd7f583b (patch) | |
| tree | 5f47f029fe49a318963a4752401f6aa8948f58b0 /devices/gxfcopy.c | |
| parent | 4eaefcce1e330998359c85ee7011dd30f81e2d78 (diff) | |
| download | ghostpdl-941c74b068dc50c89881f1092b409f8dbd7f583b.tar.gz | |
Fonts - fix cleanup of copied fonts on error
Showed up with some of the OSS-fuzz tests which exhaust memory, when
run with pdfwrite. Example command line:
-K1048576 -r200x200 -sBandListStorage=memory -dMaxBitmap=0 -dBufferSpace=450k -dMediaPosition=1 -dcupsColorSpace=1 -dSAFER -dNOPAUSE -dBATCH -dNOINTERPOLATE -dNOMEDIAATTRS -sOutputFile=/temp/out.pdf -sDEVICE=pdfwrite D:\bugs\oss-fuzz\49803.pdf
The problem is that after we allocate the font structure for the copy
of the font, it will be finalized if we free it, so we need to set up
enough of the font immediately, in case we do free it, as noted in the
comment. But we were copying the UID from the source font and not
replacing it until much later.
If we were able to allocate the 'copied' font, but not able to allocate
one of the other structures (glyphs or cfdata) we would goto the fail
condition where we would try to free the 'copied' font. Because we had
not updated the UID this would then crash.
Fix it by moving the UID setup into the section where we initialise
'just enough' of the new font. If setting up the UID fails, then set
the UID to 'invalid' instead.
Diffstat (limited to 'devices/gxfcopy.c')
| -rw-r--r-- | devices/gxfcopy.c | 23 |
1 files changed, 12 insertions, 11 deletions
diff --git a/devices/gxfcopy.c b/devices/gxfcopy.c index 76f0a19e7..571ff6463 100644 --- a/devices/gxfcopy.c +++ b/devices/gxfcopy.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2001-2021 Artifex Software, Inc. +/* Copyright (C) 2001-2022 Artifex Software, Inc. All Rights Reserved. This software is provided AS-IS with no warranty, either express or @@ -2108,6 +2108,8 @@ gs_copy_font(gs_font *font, const gs_matrix *orig_matrix, gs_memory_t *mem, gs_f copied = gs_alloc_struct(mem, gs_font, fstype, "gs_copy_font(copied font)"); if (copied) { + gs_font_base *bfont = (gs_font_base *)copied; + /* Initialize the copied font - minumum we need * so we can safely free it in the "fail:" case * below @@ -2118,6 +2120,15 @@ gs_copy_font(gs_font *font, const gs_matrix *orig_matrix, gs_memory_t *mem, gs_f copied->is_resource = false; gs_notify_init(&copied->notify_list, mem); copied->base = copied; + + bfont->FAPI = 0; + bfont->FAPI_font_data = 0; + bfont->encoding_index = ENCODING_INDEX_UNKNOWN; + code = uid_copy(&bfont->UID, mem, "gs_copy_font(UID)"); + if (code < 0) { + uid_set_invalid(&bfont->UID); + goto fail; + } } cfdata = gs_alloc_struct(mem, gs_copied_font_data_t, &st_gs_copied_font_data, @@ -2179,16 +2190,6 @@ gs_copy_font(gs_font *font, const gs_matrix *orig_matrix, gs_memory_t *mem, gs_f copied->procs.encode_char = procs->encode_char; copied->procs.glyph_info = procs->glyph_info; copied->procs.glyph_outline = procs->glyph_outline; - { - gs_font_base *bfont = (gs_font_base *)copied; - - bfont->FAPI = 0; - bfont->FAPI_font_data = 0; - bfont->encoding_index = ENCODING_INDEX_UNKNOWN; - code = uid_copy(&bfont->UID, mem, "gs_copy_font(UID)"); - if (code < 0) - goto fail; - } cfdata->procs = procs; memset(glyphs, 0, glyphs_size * sizeof(*glyphs)); |