From a94b6e448324142ecd0e047ba067b5280b6aa2e2 Mon Sep 17 00:00:00 2001
From: Chris Liddell <chris.liddell@artifex.com>
Date: Fri, 2 Sep 2022 10:55:52 +0100
Subject: oss-fuzz 50893: xpswrite: Fix order of operations freeing TIFF object

We can't free our libtiff "client data) until we've completed writing the TIFF
(which also frees the libtiff context), but having completed writing the TIFF,
we can no longer access our client data through the libtiff context.

We have to retrieve a pointer to our client data, complete the TIFF writing
process, then free our client data using the pointer we previously retrieved.
---
 devices/vector/gdevxps.c | 23 ++++++++++-------------
 1 file changed, 10 insertions(+), 13 deletions(-)

diff --git a/devices/vector/gdevxps.c b/devices/vector/gdevxps.c
index 218b3c09c..20d9dbd5b 100644
--- a/devices/vector/gdevxps.c
+++ b/devices/vector/gdevxps.c
@@ -1790,7 +1790,7 @@ static TIFF* tiff_from_name(gx_device_xps *dev, const char *name, int big_endian
 static int tiff_set_values(xps_image_enum_t *pie, TIFF *tif,
                             cmm_profile_t *profile, bool force8bit);
 static void xps_tiff_set_handlers(void);
-static void tiff_client_release(gx_device_xps* dev, TIFF* t);
+static void xps_tiff_cleanup(xps_image_enum_t *xpie);
 
 /* Check if we have the ICC profile in the package */
 static xps_icc_data_t*
@@ -2296,9 +2296,7 @@ xps_image_end_image(gx_image_enum_common_t * info, bool draw_last)
     /* N.B. Write the final strip, if any. */
 
     code = TIFFWriteDirectory(pie->tif);
-    tiff_client_release((gx_device_xps*)(pie->dev), pie->tif);
-    TIFFCleanup(pie->tif);
-    pie->tif = NULL;
+    xps_tiff_cleanup(pie);
 
     /* Stuff the image into the zip archive and close the file */
     code = xps_add_tiff_image(pie);
@@ -2575,11 +2573,14 @@ tiff_from_name(gx_device_xps *dev, const char *name, int big_endian, bool usebig
     return t;
 }
 
-static void
-tiff_client_release(gx_device_xps *dev, TIFF *t)
+static void xps_tiff_cleanup(xps_image_enum_t *xpie)
 {
-    gs_free_object(dev->memory->non_gc_memory, TIFFClientdata(t),
-        "tiff_client_release");
+    if (xpie->tif != NULL) {
+        void *t = TIFFClientdata(xpie->tif);
+        TIFFCleanup(xpie->tif);
+        xpie->tif = NULL;
+        gs_free_object(xpie->memory->non_gc_memory, t, "xps_image_enum_finalize");
+    }
 }
 
 static void
@@ -2588,11 +2589,7 @@ xps_image_enum_finalize(const gs_memory_t *cmem, void *vptr)
     xps_image_enum_t *xpie = (xps_image_enum_t *)vptr;
     gx_device_xps *xdev = (gx_device_xps *)xpie->dev;
 
-    if (xpie->tif != NULL) {
-        tiff_client_release((gx_device_xps*)(xpie->dev), xpie->tif);
-        TIFFCleanup(xpie->tif);
-        xpie->tif = NULL;
-    }
+    xps_tiff_cleanup(xpie);
 
     xpie->dev = NULL;
     if (xpie->pcs != NULL)
-- 
cgit v1.2.1