From 8c960b62ec6d5bde24b853a33054e9c1214b6034 Mon Sep 17 00:00:00 2001
From: Chris Liddell <chris.liddell@artifex.com>
Date: Tue, 15 Nov 2022 15:57:33 +0000
Subject: oss-fuzz 53176: pdfwrite - avoid double free of glyph usage/widths

In alloc_font_cache_elem_arrays() if we fail to allocate either the
glyph_usage or real_widths arrays, we free the other, and return an error.

But we weren't nulling the pointers, so if the function was called again (which
it is likely to be) we'd potentially "free" one or other pointer a second time,
causing memory corruption.
---
 devices/vector/gdevpdtt.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/devices/vector/gdevpdtt.c b/devices/vector/gdevpdtt.c
index 9483e0510..5d58e4766 100644
--- a/devices/vector/gdevpdtt.c
+++ b/devices/vector/gdevpdtt.c
@@ -837,6 +837,9 @@ alloc_font_cache_elem_arrays(gx_device_pdf *pdev, pdf_font_cache_elem_t *e,
                             "pdf_attach_font_resource");
         gs_free_object(pdev->pdf_memory, e->real_widths,
                             "alloc_font_cache_elem_arrays");
+        /* Avoid risk of double freeing above if we come around again */
+        e->glyph_usage = NULL;
+        e->real_widths = NULL;
         return_error(gs_error_VMerror);
     }
     e->num_chars = num_chars;
-- 
cgit v1.2.1