Protect against draw device stack confusion due to errors while pushing.

Whenever we have an error while pushing a gstate, we run the risk of
getting confused over how many pops we need etc.

With this commit we introduce some checking at the dev_null level that
attempts to make this behaviour consistent.

Any caller may now assume that calling an operation that pushes a clip
will always succeed. This means the only error cleanup they need to
do is to ensure that if they have pushed a clip (or begun a group, or
a mask etc) is to pop it too.

Any callee may now assume that if it throws an error during the call
to a device entrypoint that would create a group/clip/mask then no more
calls will be forthcoming until after the caller has completely finished
with that group.

This is achieved by the dev_null layer (the layer that indirects from
device calls through the device structure to the function pointers)
swallowing errors and regurgitating them later as required. A count is
kept of the number of pushes that have happened since an error
occurred during a push (including that initial one). When this count
reaches zero, the original error is regurgitated. This allows the
caller to keep the cookie correctly updated.

1 files changed, 3 insertions, 3 deletions

diff --git a/fitz/base_error.c b/fitz/base_error.c
index 0167611a..5ec97a0a 100644
--- a/fitz/base_error.c
+++ b/fitz/base_error.c
@@ -18,7 +18,7 @@ void fz_flush_warnings(fz_context *ctx)
 	ctx->warn->count = 0;
 }
 
-void fz_warn(fz_context *ctx, char *fmt, ...)
+void fz_warn(fz_context *ctx, const char *fmt, ...)
 {
 	va_list ap;
 	char buf[sizeof ctx->warn->message];
@@ -100,14 +100,14 @@ int fz_push_try(fz_error_context *ex)
 	return 0;
 }
 
-char *fz_caught(fz_context *ctx)
+const char *fz_caught(fz_context *ctx)
 {
 	assert(ctx);
 	assert(ctx->error);
 	return ctx->error->message;
 }
 
-void fz_throw(fz_context *ctx, char *fmt, ...)
+void fz_throw(fz_context *ctx, const char *fmt, ...)
 {
 	va_list args;
 	va_start(args, fmt);