Graphics library and xpswrite - clean up properly on error

OSS-fuzz 50779

The gdevp14 device was not calling end_image if an error occurred while
sending an image to the output device. The xpswrite device only cleans
up its TIFF image on receipt of an end_image call, which meant that the
'tiff' member allocated in the image enumerator was never freed.

So start by making the gdevp14 device call end_image if it gets an error
in case any other devices have similar requirements.

For a belt and braces approach, have the xpswrite device's finalize
routine for image enumerators free the tif member if it has been
initialised. To do this we first need to actually initialise it to NULL
on creation of the image enumerator, and set it back to NULL in the
end_image routine when we free it.

1 files changed, 7 insertions, 0 deletions

diff --git a/devices/vector/gdevxps.c b/devices/vector/gdevxps.c
index 1ab854be1..7ca640e47 100644
--- a/devices/vector/gdevxps.c
+++ b/devices/vector/gdevxps.c
@@ -1930,6 +1930,7 @@ xps_begin_typed_image(gx_device               *dev,
     pie->buffer = NULL;
     pie->devc_buffer = NULL;
     pie->pgs = NULL;
+    pie->tif = NULL;
 
     /* Set the brush types to image */
     xps_setstrokebrush(xdev, xps_imagebrush);
@@ -2297,6 +2298,7 @@ xps_image_end_image(gx_image_enum_common_t * info, bool draw_last)
     code = TIFFWriteDirectory(pie->tif);
     tiff_client_release((gx_device_xps*)(pie->dev), pie->tif);
     TIFFCleanup(pie->tif);
+    pie->tif = NULL;
 
     /* Stuff the image into the zip archive and close the file */
     code = xps_add_tiff_image(pie);
@@ -2597,5 +2599,10 @@ xps_image_enum_finalize(const gs_memory_t *cmem, void *vptr)
     /* ICC clean up */
     if (xpie->icc_link != NULL)
         gsicc_release_link(xpie->icc_link);
+    if (xpie->tif != NULL) {
+        tiff_client_release((gx_device_xps*)(xpie->dev), xpie->tif);
+        TIFFCleanup(xpie->tif);
+        xpie->tif = NULL;
+    }
     xdev->xps_pie = NULL;
 }