From 38af36ec272280bebd503d9b0419e27e5b9a239c Mon Sep 17 00:00:00 2001
From: Robin Watts <Robin.Watts@artifex.com>
Date: Wed, 5 Apr 2023 13:44:28 +0100
Subject: Bug 706539: Fix crash seen when decoding 2 tiffs in a row.

After decoding the first tiff, we free the buffer used to
hold the tiff, but forgot to reset the size of the buffer.

This meant that on trying to read the second tiff, we'd
attempt to use an empty buffer, and crash.
---
 gpdl/tifftop.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/gpdl/tifftop.c b/gpdl/tifftop.c
index 49f4a7dc9..7bba78490 100644
--- a/gpdl/tifftop.c
+++ b/gpdl/tifftop.c
@@ -249,6 +249,7 @@ tiff_impl_init_job(pl_interp_implementation_t *impl,
 
     tiff->dev = device;
     tiff->state = ii_state_identifying;
+    tiff->buffer_full = 0;
 
     return 0;
 }
@@ -1187,6 +1188,8 @@ fail_decode:
             if (tiff->tiff_buffer) {
                 gs_free_object(tiff->memory, tiff->tiff_buffer, "tiff_impl_process(tiff_buffer)");
                 tiff->tiff_buffer = NULL;
+                tiff->buffer_max = 0;
+                tiff->buffer_full = 0;
             }
             /* We want to bin any data we get up to, but not including
              * a UEL. */
-- 
cgit v1.2.1