[base] Report used stream's external status.

In `open_face` the initial stream is set on the face, along with the
information about if FreeType is the owner of the stream object itself.  The
loaders may in the course of their work replace this stream with a new
stream (as is the case for 'woff' and 'woff2'), which may have a different
ownership than the initial stream object (likely the original stream object
is owned by the user and is external, while the new stream object is created
internally to FreeType and is internal).  When the stream is replaced, the
face's flags are updated with the new ownership status.

However, `open_face` cannot itself free this stream as its caller
`ft_open_face_internal` is responsible for this.  In addition, in the case
of an error `open_face` cannot return an actual face with the new stream and
its ownership status to the caller.  As a result, it must pass this
information back to the caller as a sort of "failed face" so that the caller
can clean up.

`open_face` was already passing back the new stream but was not passing back
the stream ownership information.  As a result the stream may not have been
free'd when needed.

Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=54700

* src/base/ftobjs.c (open_face): Pass back the ownership information as
well.
(ft_open_face_internal): Updated.
This commit is contained in:
Ben Wagner 2023-01-05 12:42:55 -05:00 committed by Werner Lemberg
parent c0b4f6a862
commit 15afb55458

@ -1489,7 +1489,7 @@
static FT_Error
open_face( FT_Driver driver,
FT_Stream *astream,
FT_Bool external_stream,
FT_Bool *anexternal_stream,
FT_Long face_index,
FT_Int num_params,
FT_Parameter* params,
@ -1515,7 +1515,7 @@
face->stream = *astream;
/* set the FT_FACE_FLAG_EXTERNAL_STREAM bit for FT_Done_Face */
if ( external_stream )
if ( *anexternal_stream )
face->face_flags |= FT_FACE_FLAG_EXTERNAL_STREAM;
if ( FT_NEW( internal ) )
@ -1545,7 +1545,10 @@
(FT_Int)face_index,
num_params,
params );
*astream = face->stream; /* Stream may have been changed. */
/* Stream may have been changed. */
*astream = face->stream;
*anexternal_stream =
( face->face_flags & FT_FACE_FLAG_EXTERNAL_STREAM ) != 0;
if ( error )
goto Fail;
@ -2586,7 +2589,7 @@
params = args->params;
}
error = open_face( driver, &stream, external_stream, face_index,
error = open_face( driver, &stream, &external_stream, face_index,
num_params, params, &face );
if ( !error )
goto Success;
@ -2622,7 +2625,7 @@
params = args->params;
}
error = open_face( driver, &stream, external_stream, face_index,
error = open_face( driver, &stream, &external_stream, face_index,
num_params, params, &face );
if ( !error )
goto Success;