Change the order of allocations because alloc_save_change_alloc() leaves

alloc_change_t structure it allocates in the state that causes SEGV in GC
if where member is not initialized. Bug 688833, customer 1130.

DETAILS:
Allocation of alloc_change_t structure without further initialization happened
when allocation of a new run of references failed. The latter may be easily
triggered by interpretation of random bytes as a binary object sequence.

DIFFERENCES:
None

git-svn-id: http://svn.ghostscript.com/ghostscript/trunk@7694 a1074d23-0009-0410-80fe-cf8c14f379e6

1 files changed, 8 insertions, 9 deletions

diff --git a/gs/src/ialloc.c b/gs/src/ialloc.c
index bf135b0d1..12d445804 100644
--- a/gs/src/ialloc.c
+++ b/gs/src/ialloc.c
@@ -185,14 +185,7 @@ gs_alloc_ref_array(gs_ref_memory_t * mem, ref * parr, uint attrs,
 	 */
 	chunk_t *pcc = mem->pcc;
 	ref *end;
-	ref_packed **ppr = 0;
-	int code = 0;
 
-	if ((gs_memory_t *)mem != mem->stable_memory) {
-	    code = alloc_save_change_alloc(mem, "gs_alloc_ref_array", &ppr);
-	    if (code < 0)
-		return code;
-	}
 	obj = gs_alloc_struct_array((gs_memory_t *) mem, num_refs + 1,
 				    ref, &st_refs, cname);
 	if (obj == 0)
@@ -217,8 +210,14 @@ gs_alloc_ref_array(gs_ref_memory_t * mem, ref * parr, uint attrs,
 	    chunk_locate_ptr(obj, &cl);
 	    cl.cp->has_refs = true;
 	}
-	if (ppr)
-	    *ppr = (ref_packed *)obj;
+	if ((gs_memory_t *)mem != mem->stable_memory) {
+	    ref_packed **ppr = 0;
+	    int code = alloc_save_change_alloc(mem, "gs_alloc_ref_array", &ppr);
+	    if (code < 0)
+		return code;
+            if (ppr)
+	        *ppr = (ref_packed *)obj;
+	}
     }
     make_array(parr, attrs | mem->space, num_refs, obj);
     return 0;