oss-fuzz 53176: pdfwrite - avoid double free of glyph usage/widths

In alloc_font_cache_elem_arrays() if we fail to allocate either the glyph_usage or real_widths arrays, we free the other, and return an error. But we weren't nulling the pointers, so if the function was called again (which it is likely to be) we'd potentially "free" one or other pointer a second time, causing memory corruption.
author: Chris Liddell <chris.liddell@artifex.com> 2022-11-15 15:57:33 +0000
committer: Chris Liddell <chris.liddell@artifex.com> 2022-11-15 16:38:12 +0000
commit: 8c960b62ec6d5bde24b853a33054e9c1214b6034 (patch)
tree: 584deabe67dd8a40e28fff2ba05638eaeec78131 /devices
parent: 8d06b2abbe69be8386566467a2bcee5259186b7a (diff)
download: ghostpdl-8c960b62ec6d5bde24b853a33054e9c1214b6034.tar.gz
1 files changed, 3 insertions, 0 deletions
diff --git a/devices/vector/gdevpdtt.c b/devices/vector/gdevpdtt.c
index 9483e0510..5d58e4766 100644
--- a/devices/vector/gdevpdtt.c
+++ b/devices/vector/gdevpdtt.c
@@ -837,6 +837,9 @@ alloc_font_cache_elem_arrays(gx_device_pdf *pdev, pdf_font_cache_elem_t *e,
                             "pdf_attach_font_resource");
         gs_free_object(pdev->pdf_memory, e->real_widths,
                             "alloc_font_cache_elem_arrays");
+        /* Avoid risk of double freeing above if we come around again */
+        e->glyph_usage = NULL;
+        e->real_widths = NULL;
         return_error(gs_error_VMerror);
     }
     e->num_chars = num_chars;
author	Chris Liddell <chris.liddell@artifex.com>	2022-11-15 15:57:33 +0000
committer	Chris Liddell <chris.liddell@artifex.com>	2022-11-15 16:38:12 +0000
commit	8c960b62ec6d5bde24b853a33054e9c1214b6034 (patch)
tree	584deabe67dd8a40e28fff2ba05638eaeec78131 /devices
parent	8d06b2abbe69be8386566467a2bcee5259186b7a (diff)
download	ghostpdl-8c960b62ec6d5bde24b853a33054e9c1214b6034.tar.gz