diff options
author | Chris Liddell <chris.liddell@artifex.com> | 2023-03-07 12:10:35 +0000 |
---|---|---|
committer | Chris Liddell <chris.liddell@artifex.com> | 2023-03-07 12:10:35 +0000 |
commit | bdd007f7cee19de3c9897351d24ae1c7ad39208f (patch) | |
tree | 36174cba788bf37fed79aec4c303aba9b8c62ddd /devices | |
parent | 85f185871e4a9a03254a45d9a8b59f0b2d934df8 (diff) | |
download | ghostpdl-bdd007f7cee19de3c9897351d24ae1c7ad39208f.tar.gz |
pdfwrite: Don't free copied font object when it's in use
If we spot early on that that we can't create a complete copy of a font (i.e.
if the font is incrememntally defined), we discard the attempted complete copy
and set the "complete" pointer to the same as the "copied" (subsetted) pointer.
But it turns out that, later, there is also a code path that requires discarding
the "complete" font, which wasn't accounting for the possibility that the two
pointers pointed to the same font object.
So, we now check whether the two pointers are the same, and if so, we simply
null the "complete" pointer.
Fixes oddly hard to reproduce segfaults from the nightly and weekly tests.
Diffstat (limited to 'devices')
-rw-r--r-- | devices/vector/gdevpdtb.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/devices/vector/gdevpdtb.c b/devices/vector/gdevpdtb.c index bab7995df..138c2a40d 100644 --- a/devices/vector/gdevpdtb.c +++ b/devices/vector/gdevpdtb.c @@ -430,7 +430,8 @@ pdf_base_font_drop_complete(pdf_base_font_t *pbfont) * free the members which are common to both, so this cast is * (at the time of writing) safe. */ - gs_free_copied_font((gs_font *)pbfont->complete); + if (pbfont->complete != pbfont->copied) + gs_free_copied_font((gs_font *)pbfont->complete); pbfont->complete = NULL; } |