From 90f0f92bf6bf9c346cd3f74adaa42a7c8a3702cb Mon Sep 17 00:00:00 2001
From: Nancy Durgin <nancy.durgin@artifex.com>
Date: Wed, 22 Jul 2020 12:24:05 -0700
Subject: [PATCH] Fix memory leak in pdfwrite device

This appears to only be a memory leak for non-garbage-collected interpreters
such as pdfi.

sclose() calls s_disable() which sets s->cbuf to 0.
But it also calls client callbacks that might do things with cbuf first, so
it will crash if we free it before calling sclose().
Side-effects galore! :(

Anyway, we save the pointer before doing the sclose() so we can
properly free it afterwards.
---
 devices/vector/gdevpdfu.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/devices/vector/gdevpdfu.c b/devices/vector/gdevpdfu.c
index 2b2af1d32..f58999444 100644
--- a/devices/vector/gdevpdfu.c
+++ b/devices/vector/gdevpdfu.c
@@ -1186,6 +1186,7 @@ stream_to_none(gx_device_pdf * pdev)
         }
         if (pdev->compression_at_page_start == pdf_compress_Flate) {	/* Terminate the filters. */
             stream *fs = s->strm;
+            byte *buf;
 
             if (!pdev->binary_ok) {
                 sclose(s);	/* Terminate the ASCII85 filter. */
@@ -1194,8 +1195,9 @@ stream_to_none(gx_device_pdf * pdev)
                 pdev->strm = s = fs;
                 fs = s->strm;
             }
+            buf = s->cbuf; /* Save because sclose may zero it out (causing memory leak) */
             sclose(s);		/* Next terminate the compression filter */
-            gs_free_object(pdev->pdf_memory, s->cbuf, "zlib buffer");
+            gs_free_object(pdev->pdf_memory, buf, "zlib buffer");
             gs_free_object(pdev->pdf_memory, s, "zlib stream");
             pdev->strm = fs;
         }
-- 
2.33.0