diff options
author | Chris Liddell <chris.liddell@artifex.com> | 2022-11-15 15:57:33 +0000 |
---|---|---|
committer | Chris Liddell <chris.liddell@artifex.com> | 2022-11-15 16:38:12 +0000 |
commit | 8c960b62ec6d5bde24b853a33054e9c1214b6034 (patch) | |
tree | 584deabe67dd8a40e28fff2ba05638eaeec78131 /devices | |
parent | 8d06b2abbe69be8386566467a2bcee5259186b7a (diff) | |
download | ghostpdl-8c960b62ec6d5bde24b853a33054e9c1214b6034.tar.gz |
oss-fuzz 53176: pdfwrite - avoid double free of glyph usage/widths
In alloc_font_cache_elem_arrays() if we fail to allocate either the
glyph_usage or real_widths arrays, we free the other, and return an error.
But we weren't nulling the pointers, so if the function was called again (which
it is likely to be) we'd potentially "free" one or other pointer a second time,
causing memory corruption.
Diffstat (limited to 'devices')
-rw-r--r-- | devices/vector/gdevpdtt.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/devices/vector/gdevpdtt.c b/devices/vector/gdevpdtt.c index 9483e0510..5d58e4766 100644 --- a/devices/vector/gdevpdtt.c +++ b/devices/vector/gdevpdtt.c @@ -837,6 +837,9 @@ alloc_font_cache_elem_arrays(gx_device_pdf *pdev, pdf_font_cache_elem_t *e, "pdf_attach_font_resource"); gs_free_object(pdev->pdf_memory, e->real_widths, "alloc_font_cache_elem_arrays"); + /* Avoid risk of double freeing above if we come around again */ + e->glyph_usage = NULL; + e->real_widths = NULL; return_error(gs_error_VMerror); } e->num_chars = num_chars; |