From 351c99d8ce23bbf7099dbd52771a095f67e45a2c Mon Sep 17 00:00:00 2001
From: Sebastian Rasmussen <sebras@gmail.com>
Date: Mon, 1 Oct 2018 15:13:13 +0800
Subject: Avoid being smart about keeping only a single reference to the
 buffer.

When pdf_dev_pop() is called it will drop the reference to the buffer.
pdf_dev_push_new_buf() will either create a new buffer reference or take a reference to the existing buffer.
When pdf_dev_pop() is called unbalance this creates a problem as the
top level buffer will be unreferenced too many times.

fails-32.pdf
---
 source/pdf/pdf-device.c | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

(limited to 'source')

diff --git a/source/pdf/pdf-device.c b/source/pdf/pdf-device.c
index 31a7a10f..0103e9a7 100644
--- a/source/pdf/pdf-device.c
+++ b/source/pdf/pdf-device.c
@@ -66,7 +66,6 @@ struct pdf_device_s
 
 	pdf_document *doc;
 	pdf_obj *resources;
-	fz_buffer *buffer;
 
 	int in_text;
 
@@ -1061,7 +1060,10 @@ pdf_dev_drop_device(fz_context *ctx, fz_device *dev)
 	int i;
 
 	for (i = pdev->num_gstates-1; i >= 0; i--)
+	{
+		fz_drop_buffer(ctx, pdev->gstates[i].buf);
 		fz_drop_stroke_state(ctx, pdev->gstates[i].stroke_state);
+	}
 
 	for (i = pdev->num_cid_fonts-1; i >= 0; i--)
 		fz_drop_font(ctx, pdev->cid_fonts[i]);
@@ -1069,7 +1071,6 @@ pdf_dev_drop_device(fz_context *ctx, fz_device *dev)
 	for (i = pdev->num_groups - 1; i >= 0; i--)
 		pdf_drop_obj(ctx, pdev->groups[i].ref);
 
-	fz_drop_buffer(ctx, pdev->buffer);
 	pdf_drop_obj(ctx, pdev->resources);
 	fz_free(ctx, pdev->cid_fonts);
 	fz_free(ctx, pdev->image_indices);
@@ -1111,10 +1112,13 @@ fz_device *pdf_new_pdf_device(fz_context *ctx, pdf_document *doc, fz_matrix topc
 	dev->super.begin_tile = pdf_dev_begin_tile;
 	dev->super.end_tile = pdf_dev_end_tile;
 
+	fz_var(buf);
+
 	fz_try(ctx)
 	{
-		dev->buffer = fz_keep_buffer(ctx, buf);
-		if (!buf)
+		if (buf)
+			buf = fz_keep_buffer(ctx, buf);
+		else
 			buf = fz_new_buffer(ctx, 256);
 		dev->doc = doc;
 		dev->resources = pdf_keep_obj(ctx, resources);
@@ -1136,8 +1140,7 @@ fz_device *pdf_new_pdf_device(fz_context *ctx, pdf_document *doc, fz_matrix topc
 	}
 	fz_catch(ctx)
 	{
-		if (dev->gstates && dev->buffer == NULL)
-			fz_drop_buffer(ctx, dev->gstates[0].buf);
+		fz_drop_buffer(ctx, buf);
 		fz_free(ctx, dev);
 		fz_rethrow(ctx);
 	}
-- 
cgit v1.2.3