pdfwrite - handle unterminated substreams on exit

Bug #704477 "use-after-free in gs at gp_fflush (base/gp.h:294)"

This is a complicated problem, exhibited by a file which is utterly
broken (fuzzed), and depends on a number of factors.

The problem occurs because we need to capture a CharProc for a glyph
description; to do that we exit the device and return to the interpreter
which runs the glyph description. We capture the operations to a
'substream'. While we are doing that, we point the device's 'stream' at
the substream.

If an error occurs while running the glyph description the interpreter
never finishes processing the text enumerator (or at least never returns
to text_process) which means that we end up with a 'dangling' substream
because the substream is closed in pdfwrite's text_process().

If we then do not emit a page we end up at the device's close() method
with the device's stream member pointing at the substream, not the
original main file. When we write the CharProc out we then discard the
'cos' object which the substream maintains a pointer to. Finally we try
to close the device's main stream but, because it is pointed at the
substream, we close that. That then seg faults because we have discarded
the cos object it needs.

The solution is to close any open substreams (and flag an error, the
output file WILL be invalid) when we close the device. This restores
our way back up the substream stack, closing the streams as require and
does so before we discard the cos objects. This is exactly what would
have been done by the output_page() method if we had actually written
any pages.

There is ons slight complication; the ps2write device needs resources
to be written before they are used, and that results in us having one
extra substream in place at device close. So cater for that in the same
way as is done elsewhere.

0 files changed, 0 insertions, 0 deletions