Bug 694382: Fix use-after-free due to type3 fonts.

Thanks to zeniko for spotting the problem here.

Type 3 fonts contain a reference to the resources objects required
to render the glyphs. Traditionally these have been freed when the
font is freed. Unfortunately, after recent changes, freeing a PDF
object requires the pdf_document concerned to still exist.

While in most cases the type 3 resources are not used after we have
converted the type3 glyphs to display lists, this is not always the
case. For uncachable Type 3 glyphs (such as those that do not
completely define elements in the graphics state that they use, such
as color or line width), we end up running the glyphs at interpretation
time.

[ Interpretation time = when doing a direct render on the main thread,
or when creating a display list - so also on the main thread. No
multi-threading issues with file access here. ]

The fix implemented here is for each pdf document to keep a list of
the type3 fonts it has created, and to 'decouple' them from the
document when the document is destroyed. The sole effect of this
decoupling is to remove the resources (and the PDF operator buffers)
from the font. These are only ever used during interpretation, and
no further interpretations are possible without the document being
alive anyway, so this should have no net effect on operation, other
than allowing cleanup to proceed cleanly later on.

1 files changed, 7 insertions, 0 deletions

diff --git a/source/pdf/pdf-xref.c b/source/pdf/pdf-xref.c
index 970a83aa..ee9f8ea1 100644
--- a/source/pdf/pdf-xref.c
+++ b/source/pdf/pdf-xref.c
@@ -1102,6 +1102,13 @@ pdf_close_document(pdf_document *doc)
 	if (doc->crypt)
 		pdf_free_crypt(ctx, doc->crypt);
 
+	for (i=0; i < doc->num_type3_fonts; i++)
+	{
+		fz_decouple_type3_font(ctx, doc->type3_fonts[i], (void *)doc);
+		fz_drop_font(ctx, doc->type3_fonts[i]);
+	}
+	fz_free(ctx, doc->type3_fonts);
+
 	pdf_free_ocg(ctx, doc->ocg);
 
 	fz_empty_store(ctx);