oss-fuzz 43615: Keep a reference to the current pdfi font

in the pdfi graphics state. Previously, we relied on pdfi_gsave/pdfi_grestore to keep the reference count correct for pdfi font from which the current gs_font in the graphics state is derived. This was, at best, a compromised approach, since it meant the lifespan of the font object was not directly tied to the graphics state which referenced it. We opted for this because, at the time, we wanted to avoid the upheaval of implementing a pdfi specific graphics state. That approach also couldn't account for graphics state copies created and destroyed by means other than gs_gsave/gs_grestore - such as saving the graphics state for subsequent use when evaluating an SMask group. Subsequently, other requirements made it clear a pdfi specific graphics state was absolutely required. As such, it makes sense to store a reference to the current (pdfi) font in the pdfi graphics state and, since the pdfi graphics state lifespan is tied to the gs_gstate lifespan, thus we can now connect the font objects' reference count to the graphics state(s) that refernce them.
author: Chris Liddell <chris.liddell@artifex.com> 2022-01-18 12:50:15 +0000
committer: Chris Liddell <chris.liddell@artifex.com> 2022-01-18 16:16:41 +0000
commit: a1f3fb482e257c3b52e470146ec4f9abd51e2ddd (patch)
tree: c044f45c9f03ca11f3e7e813b7c5c01ab6cdd754 /pdf
parent: 781d69de03e183ea3135a1931911325b6578ef10 (diff)
download: ghostpdl-a1f3fb482e257c3b52e470146ec4f9abd51e2ddd.tar.gz
17 files changed, 47 insertions, 83 deletions
diff --git a/pdf/ghostpdf.c b/pdf/ghostpdf.c
index 8a306b7d1..b317c340d 100644
--- a/pdf/ghostpdf.c
+++ b/pdf/ghostpdf.c
@@ -24,6 +24,7 @@
 #include "pdf_file.h"
 #include "pdf_loop_detect.h"
 #include "pdf_trans.h"
+#include "pdf_font_types.h"
 #include "pdf_gstate.h"
 #include "stream.h"
 #include "strmio.h"
diff --git a/pdf/pdf_annot.c b/pdf/pdf_annot.c
index 09bbb8d0c..9dd3cb31a 100644
--- a/pdf/pdf_annot.c
+++ b/pdf/pdf_annot.c
@@ -1,4 +1,4 @@
-/* Copyright (C) 2019-2021 Artifex Software, Inc.
+/* Copyright (C) 2019-2022 Artifex Software, Inc.
    All Rights Reserved.
 
    This software is provided AS-IS with no warranty, either express or
@@ -24,6 +24,7 @@
 #include "pdf_loop_detect.h"
 #include "pdf_colour.h"
 #include "pdf_trans.h"
+#include "pdf_font_types.h"
 #include "pdf_gstate.h"
 #include "pdf_misc.h"
 #include "pdf_optcontent.h"
diff --git a/pdf/pdf_check.c b/pdf/pdf_check.c
index 80b2f3ab2..dd38dc583 100644
--- a/pdf/pdf_check.c
+++ b/pdf/pdf_check.c
@@ -1,4 +1,4 @@
-/* Copyright (C) 2019-2021 Artifex Software, Inc.
+/* Copyright (C) 2019-2022 Artifex Software, Inc.
    All Rights Reserved.
 
    This software is provided AS-IS with no warranty, either express or
@@ -24,6 +24,7 @@
 #include "pdf_loop_detect.h"
 #include "pdf_colour.h"
 #include "pdf_trans.h"
+#include "pdf_font_types.h"
 #include "pdf_gstate.h"
 #include "pdf_misc.h"
 #include "pdf_check.h"
diff --git a/pdf/pdf_font.c b/pdf/pdf_font.c
index aade9baaa..1009fd770 100644
--- a/pdf/pdf_font.c
+++ b/pdf/pdf_font.c
@@ -1,4 +1,4 @@
-/* Copyright (C) 2018-2021 Artifex Software, Inc.
+/* Copyright (C) 2018-2022 Artifex Software, Inc.
    All Rights Reserved.
 
    This software is provided AS-IS with no warranty, either express or
@@ -16,6 +16,8 @@
 /* Font operations for the PDF interpreter */
 
 #include "pdf_int.h"
+#include "pdf_font_types.h"
+#include "pdf_gstate.h"
 #include "pdf_file.h"
 #include "pdf_dict.h"
 #include "pdf_loop_detect.h"
@@ -24,7 +26,6 @@
 #include "pdf_stack.h"
 #include "pdf_misc.h"
 #include "pdf_doc.h"
-#include "pdf_font_types.h"
 #include "pdf_font0.h"
 #include "pdf_font1.h"
 #include "pdf_font1C.h"
@@ -41,12 +42,15 @@
 static int pdfi_gs_setfont(pdf_context *ctx, gs_font *pfont)
 {
     int code = 0;
-    pdf_font *old_font = pdfi_get_current_pdf_font(ctx);
+    pdfi_int_gstate *igs = (pdfi_int_gstate *)ctx->pgs->client_data;
+    pdf_font *old_font = igs->current_font;
 
     code = gs_setfont(ctx->pgs, pfont);
-    if (code >= 0)
+    if (code >= 0) {
+        igs->current_font = (pdf_font *)pfont->client_data;
+        pdfi_countup(igs->current_font);
         pdfi_countdown(old_font);
-
+    }
     return code;
 }
 
@@ -816,6 +820,7 @@ int pdfi_load_dict_font(pdf_context *ctx, pdf_dict *stream_dict, pdf_dict *page_
 {
     int code;
     gs_font *pfont;
+    pdf_font *pdfif;
 
     if (font_dict->type == PDF_FONT) {
         pdfi_countup(font_dict);
@@ -836,10 +841,8 @@ int pdfi_load_dict_font(pdf_context *ctx, pdf_dict *stream_dict, pdf_dict *page_
     if (pfont != ctx->pgs->font) {
         code = pdfi_gs_setfont(ctx, pfont);
     }
-    else {
-        pdf_font *pdfif = (pdf_font *)pfont->client_data;
-        pdfi_countdown(pdfif);
-    }
+    pdfif = (pdf_font *)pfont->client_data;
+    pdfi_countdown(pdfif);
 
     if (code < 0)
         goto exit;
diff --git a/pdf/pdf_font3.c b/pdf/pdf_font3.c
index 7bfd22ccf..fd8619ee4 100644
--- a/pdf/pdf_font3.c
+++ b/pdf/pdf_font3.c
@@ -1,4 +1,4 @@
-/* Copyright (C) 2019-2021 Artifex Software, Inc.
+/* Copyright (C) 2019-2022 Artifex Software, Inc.
    All Rights Reserved.
 
    This software is provided AS-IS with no warranty, either express or
@@ -19,10 +19,10 @@
 #include "pdf_stack.h"
 #include "pdf_array.h"
 #include "pdf_dict.h"
+#include "pdf_font_types.h"
 #include "pdf_gstate.h"
 #include "pdf_font.h"
 #include "pdf_font3.h"
-#include "pdf_font_types.h"
 #include "pdf_deref.h"
 #include "gscencs.h"
 #include "gscedata.h"       /* For the encoding arrays */
diff --git a/pdf/pdf_gstate.c b/pdf/pdf_gstate.c
index 1ea6abc11..11cff82b2 100644
--- a/pdf/pdf_gstate.c
+++ b/pdf/pdf_gstate.c
@@ -1,4 +1,4 @@
-/* Copyright (C) 2018-2021 Artifex Software, Inc.
+/* Copyright (C) 2018-2022 Artifex Software, Inc.
    All Rights Reserved.
 
    This software is provided AS-IS with no warranty, either express or
@@ -17,6 +17,7 @@
 
 #include "pdf_int.h"
 #include "pdf_doc.h"
+#include "pdf_font_types.h"
 #include "pdf_gstate.h"
 #include "pdf_stack.h"
 #include "pdf_dict.h"
@@ -113,7 +114,9 @@ pdfi_gstate_copy_cb(void *to, const void *from)
      */
     if (igs_to != NULL) {
         pdfi_gstate_smask_free(igs_to);
+        pdfi_countdown(igs_to->current_font);
         *(pdfi_int_gstate *) igs_to = *igs_from;
+        pdfi_countup(igs_to->current_font);
         pdfi_gstate_smask_install(igs_to, igs_from->memory, igs_from->SMask, igs_from->GroupGState);
     }
     return 0;
@@ -127,6 +130,7 @@ pdfi_gstate_free_cb(void *old, gs_memory_t * mem, gs_gstate *pgs)
     if (old == NULL)
         return;
     pdfi_gstate_smask_free(igs);
+    pdfi_countdown(igs->current_font);
     /* We need to use the graphics state memory, in case we are running under Ghostscript. */
     gs_free_object(pgs->memory, igs, "pdfi_gstate_free");
 }
@@ -252,93 +256,38 @@ int pdfi_op_Q(pdf_context *ctx)
     return code;
 }
 
+/* We want pdfi_grestore() so we can track and warn of "too many Qs"
+ * in the interests of symmetry, we also have pdfi_gsave()
+ */
 int pdfi_gsave(pdf_context *ctx)
 {
-    int code;
-
-    code = gs_gsave(ctx->pgs);
-
-    if(code < 0)
-        return code;
-    else {
-        pdfi_countup_current_font(ctx);
-        return 0;
-    }
+    return gs_gsave(ctx->pgs);
 }
 
 int pdfi_grestore(pdf_context *ctx)
 {
-    int code;
-    pdf_font *font = NULL, *font1 = NULL;
+    int code = 0;
 
     /* Make sure we have encountered as many gsave operations in this
      * stream as grestores. If not, log an error
      */
     if (ctx->pgs->level > ctx->current_stream_save.gsave_level) {
-        font = pdfi_get_current_pdf_font(ctx);
-
         code = gs_grestore(ctx->pgs);
-
-        font1 = pdfi_get_current_pdf_font(ctx);
-        if (font != NULL && (font != font1 || ((pdf_obj *)font)->refcnt > 1)) {
-            /* TODO: This countdown might have been causing memory corruption (dangling pointer)
-             * but seems to be okay now.  Maybe was fixed by other memory issue. 8-28-19
-             * If you come upon this comment in the future and it all seems fine, feel free to
-             * clean this up... (delete comment, remove the commented out warning message, etc)
-             */
-#if REFCNT_DEBUG
-            dbgmprintf2(ctx->memory, "pdfi_grestore() counting down font UID %ld, refcnt %d\n",
-                        font->UID, font->refcnt);
-#endif
-            //            dbgmprintf(ctx->memory, "WARNING pdfi_grestore() DISABLED pdfi_countdown (FIXME!)\n");
-            pdfi_countdown(font);
-        }
-
-        return code;
     } else {
         /* We don't throw an error here, we just ignore it and continue */
         pdfi_set_warning(ctx, 0, NULL, W_PDF_TOOMANYQ, "pdfi_grestore", (char *)"ignoring q");
     }
-    return 0;
+    return code;
 }
 
-/* gs_setgstate is somewhat unpleasant from our point of view, because it replaces
- * the content of the graphics state, without going through our pdfi_gsave/pdfi_grestore
- * functionaltiy. In particular we replace the current font in the graphics state when
- * we call it, and this means we *don't* count down the PDF_font object reference count
- * which leads to an incorrect count and either memory leaks or early freeing.
- * This function *requires* that the calling function will do a pdfi_gsave *before*
- * calling pdfi_setgstate, and a pdfi_grestore *after* calling pdfi_gs_setgstate.
- * it correctly increments/decrements the font reference counts for that condition
- * and no other.
- */
 int pdfi_gs_setgstate(gs_gstate * pgs, const gs_gstate * pfrom)
 {
-    pdf_font *font = NULL;
     int code = 0;
 
-    /* We are going to release a reference to the font from the graphics state
-    * (if there is one) so count it down to keep things straight.
-    */
-    if (pgs->font) {
-        font = (pdf_font *)pgs->font->client_data;
-        if (font)
-            pdfi_countdown(font);
-    }
-
     code = gs_setgstate(pgs, pfrom);
     if (code < 0)
         return code;
 
-    /* The copied gstate may have contained a font, and we expect to do a
-     * pdfi_grestore on exit from here, which will count down the font
-     * so count it up now in preparation.
-     */
-    if (pgs->font) {
-        font = (pdf_font *)pgs->font->client_data;
-        if (font)
-            pdfi_countup(font);
-    }
     return code;
 }
 
diff --git a/pdf/pdf_gstate.h b/pdf/pdf_gstate.h
index 37bc55a92..2b314971b 100644
--- a/pdf/pdf_gstate.h
+++ b/pdf/pdf_gstate.h
@@ -1,4 +1,4 @@
-/* Copyright (C) 2018-2021 Artifex Software, Inc.
+/* Copyright (C) 2018-2022 Artifex Software, Inc.
    All Rights Reserved.
 
    This software is provided AS-IS with no warranty, either express or
@@ -23,6 +23,7 @@ typedef struct int_gstate_s {
     pdf_context *ctx;
     pdf_dict *SMask; /* PDF only, null | dictionary | true */
     gs_gstate *GroupGState; /* gstate associated with the SMask */
+    pdf_font *current_font; /* This is the pdfi font pointed at by the "client_data" pointer in the gs_font in the gs_gstate */
     gs_memory_t *memory;
 } pdfi_int_gstate;
 
diff --git a/pdf/pdf_image.c b/pdf/pdf_image.c
index 457c23772..d4f29a109 100644
--- a/pdf/pdf_image.c
+++ b/pdf/pdf_image.c
@@ -17,6 +17,7 @@
 
 #include "pdf_int.h"
 #include "pdf_stack.h"
+#include "pdf_font_types.h"
 #include "pdf_gstate.h"
 #include "pdf_doc.h"
 #include "pdf_page.h"
diff --git a/pdf/pdf_int.c b/pdf/pdf_int.c
index e5ff14dbb..e98bc1f66 100644
--- a/pdf/pdf_int.c
+++ b/pdf/pdf_int.c
@@ -25,7 +25,7 @@
 #include "pdf_image.h"
 #include "pdf_shading.h"
 #include "pdf_font.h"
-#include "pdf_font.h"
+#include "pdf_font_types.h"
 #include "pdf_cmap.h"
 #include "pdf_text.h"
 #include "pdf_gstate.h"
diff --git a/pdf/pdf_misc.c b/pdf/pdf_misc.c
index c945c644e..11c5dde50 100644
--- a/pdf/pdf_misc.c
+++ b/pdf/pdf_misc.c
@@ -1,4 +1,4 @@
-/* Copyright (C) 2019-2021 Artifex Software, Inc.
+/* Copyright (C) 2019-2022 Artifex Software, Inc.
    All Rights Reserved.
 
    This software is provided AS-IS with no warranty, either express or
@@ -18,6 +18,7 @@
 #include "pdf_int.h"
 #include "pdf_stack.h"
 #include "pdf_misc.h"
+#include "pdf_font_types.h"
 #include "pdf_gstate.h"
 #include "gspath.h"             /* For gs_strokepath() */
 #include "gspaint.h"            /* For gs_erasepage() */
diff --git a/pdf/pdf_optcontent.c b/pdf/pdf_optcontent.c
index fbac4aa80..fc203b7b2 100644
--- a/pdf/pdf_optcontent.c
+++ b/pdf/pdf_optcontent.c
@@ -1,4 +1,4 @@
-/* Copyright (C) 2019-2021 Artifex Software, Inc.
+/* Copyright (C) 2019-2022 Artifex Software, Inc.
    All Rights Reserved.
 
    This software is provided AS-IS with no warranty, either express or
@@ -18,6 +18,7 @@
 #include "pdf_int.h"
 #include "pdf_stack.h"
 #include "pdf_misc.h"
+#include "pdf_font_types.h"
 #include "pdf_gstate.h"
 #include "pdf_dict.h"
 #include "pdf_array.h"
diff --git a/pdf/pdf_page.c b/pdf/pdf_page.c
index aed1eeef6..95ed84a02 100644
--- a/pdf/pdf_page.c
+++ b/pdf/pdf_page.c
@@ -26,6 +26,7 @@
 #include "pdf_loop_detect.h"
 #include "pdf_colour.h"
 #include "pdf_trans.h"
+#include "pdf_font_types.h"
 #include "pdf_gstate.h"
 #include "pdf_misc.h"
 #include "pdf_optcontent.h"
diff --git a/pdf/pdf_path.c b/pdf/pdf_path.c
index d35cf4424..a9724def3 100644
--- a/pdf/pdf_path.c
+++ b/pdf/pdf_path.c
@@ -1,4 +1,4 @@
-/* Copyright (C) 2018-2021 Artifex Software, Inc.
+/* Copyright (C) 2018-2022 Artifex Software, Inc.
    All Rights Reserved.
 
    This software is provided AS-IS with no warranty, either express or
@@ -16,6 +16,7 @@
 /* Path operations for the PDF interpreter */
 
 #include "pdf_int.h"
+#include "pdf_font_types.h"
 #include "pdf_gstate.h"
 #include "pdf_path.h"
 #include "pdf_stack.h"
diff --git a/pdf/pdf_pattern.c b/pdf/pdf_pattern.c
index a21c36f42..d39f367db 100644
--- a/pdf/pdf_pattern.c
+++ b/pdf/pdf_pattern.c
@@ -21,6 +21,7 @@
 #include "pdf_pattern.h"
 #include "pdf_stack.h"
 #include "pdf_array.h"
+#include "pdf_font_types.h"
 #include "pdf_gstate.h"
 #include "pdf_file.h"
 #include "pdf_dict.h"
diff --git a/pdf/pdf_shading.c b/pdf/pdf_shading.c
index 2c888cdb4..845267784 100644
--- a/pdf/pdf_shading.c
+++ b/pdf/pdf_shading.c
@@ -1,4 +1,4 @@
-/* Copyright (C) 2018-2021 Artifex Software, Inc.
+/* Copyright (C) 2018-2022 Artifex Software, Inc.
    All Rights Reserved.
 
    This software is provided AS-IS with no warranty, either express or
@@ -17,6 +17,7 @@
 
 #include "pdf_int.h"
 #include "pdf_stack.h"
+#include "pdf_font_types.h"
 #include "pdf_gstate.h"
 #include "pdf_shading.h"
 #include "pdf_dict.h"
diff --git a/pdf/pdf_text.c b/pdf/pdf_text.c
index d8296bed0..52e6ed16a 100644
--- a/pdf/pdf_text.c
+++ b/pdf/pdf_text.c
@@ -21,9 +21,9 @@
 #include "pdf_image.h"
 #include "pdf_colour.h"
 #include "pdf_stack.h"
-#include "pdf_gstate.h"
 #include "pdf_font.h"
 #include "pdf_font_types.h"
+#include "pdf_gstate.h"
 #include "pdf_trans.h"
 #include "pdf_optcontent.h"
 
diff --git a/pdf/pdf_trans.c b/pdf/pdf_trans.c
index ff300263c..608f1679f 100644
--- a/pdf/pdf_trans.c
+++ b/pdf/pdf_trans.c
@@ -1,4 +1,4 @@
-/* Copyright (C) 2019-2021 Artifex Software, Inc.
+/* Copyright (C) 2019-2022 Artifex Software, Inc.
    All Rights Reserved.
 
    This software is provided AS-IS with no warranty, either express or
@@ -20,6 +20,7 @@
 #include "pdf_trans.h"
 #include "pdf_dict.h"
 #include "pdf_colour.h"
+#include "pdf_font_types.h"
 #include "pdf_gstate.h"
 #include "pdf_array.h"
 #include "pdf_image.h"
author	Chris Liddell <chris.liddell@artifex.com>	2022-01-18 12:50:15 +0000
committer	Chris Liddell <chris.liddell@artifex.com>	2022-01-18 16:16:41 +0000
commit	a1f3fb482e257c3b52e470146ec4f9abd51e2ddd (patch)
tree	c044f45c9f03ca11f3e7e813b7c5c01ab6cdd754 /pdf
parent	781d69de03e183ea3135a1931911325b6578ef10 (diff)
download	ghostpdl-a1f3fb482e257c3b52e470146ec4f9abd51e2ddd.tar.gz