oss-fuzz 44151: pdfi_TJ() hold a local, ref counted reference

to the operand array, in case an error causes the op stack reference to it to disappear, and the object to be freed while we're still using it.
ArtifexSoftware · Jan 29, 2022 · 85fa6e1 · 85fa6e1
1 parent cd92dea
commit 85fa6e1
Showing 1 changed file with 3 additions and 5 deletions.
diff --git a/pdf/pdf_text.c b/pdf/pdf_text.c
@@ -486,10 +486,6 @@ static int pdfi_show_set_params(pdf_context *ctx, pdf_string *s, gs_text_params_
         }
         text->size = s->length;
     }
-    else {
-        code = gs_note_error(gs_error_invalidfont);
-        goto text_params_error;
-    }
     return 0;
 
 text_params_error:
@@ -1201,6 +1197,8 @@ int pdfi_TJ(pdf_context *ctx)
         pdfi_pop(ctx, 1);
         return gs_note_error(gs_error_typecheck);
     }
+    pdfi_countup(a);
+    pdfi_pop(ctx, 1);
 
     /* Save the CTM for later restoration */
     saved = ctm_only(ctx->pgs);
@@ -1312,7 +1310,7 @@ int pdfi_TJ(pdf_context *ctx)
     ctx->pgs->line_params.half_width = linewidth;
 
  exit:
-    pdfi_pop(ctx, 1);
+    pdfi_countdown(a);
     return code;
 }