Plug memory leaks identified by fuzzer+Valgrind

Author: pkgw

crates/engine_xetex/xetex/xetex-ext.c

@@ -218,6 +218,8 @@ load_mapping_file(const char* s, const char* e, char byteMapping)
             font_mapping_warning(buffer, strlen(buffer), 2); /* not loadable */
         else if (get_tracing_fonts_state() > 1)
             font_mapping_warning(buffer, strlen(buffer), 0); /* tracing */
+
+        free(mapping);
     } else {
         font_mapping_warning(buffer, strlen(buffer), 1); /* not found */
     }

crates/engine_xetex/xetex/xetex-ini.c

@@ -3,6 +3,13 @@
    Licensed under the MIT License.
 */
 
+/* On Windows this can bring in a `#define INPUT` that clashes with
+ * xetex_format.h, so include it first and sanitize: */
+#include "teckit-c-Engine.h"
+#ifdef INPUT
+#undef INPUT
+#endif
+
 #include "xetex-core.h"
 #include "xetex-xetexd.h"
 #include "xetex-synctex.h"
@@ -2764,7 +2771,7 @@ load_fmt_file(void)
 
     font_ptr = x;
 
-    font_mapping = xmalloc_array(void *, font_max);
+    font_mapping = xcalloc_array(void *, font_max);
     font_layout_engine = xcalloc_array(void *, font_max);
     font_flags = xmalloc_array(char, font_max);
     font_letter_space = xmalloc_array(scaled_t, font_max);
@@ -3508,6 +3515,11 @@ tt_cleanup(void) {
             release_font_engine(font_layout_engine[font_k], font_area[font_k]);
             font_layout_engine[font_k] = NULL;
         }
+
+        if (font_mapping[font_k] != NULL) {
+            TECkit_DisposeConverter((TECkit_Converter) font_mapping[font_k]);
+            font_mapping[font_k] = NULL;
+        }
     }
 
     for (int i = 1; i <= in_open; i++) {

crates/pdf_io/pdf_io/dpx-pdfdraw.c

@@ -878,7 +878,7 @@ typedef struct pdf_gstate_
   pdf_obj *extgstate;
 } pdf_gstate;
 
-static dpx_stack gs_stack;
+static dpx_stack gs_stack = { 0, NULL, NULL };
 
 static void
 init_a_gstate (pdf_gstate *gs)
@@ -1112,6 +1112,16 @@ pdf_dev_init_gstates (void)
 {
   pdf_gstate *gs;
 
+  /* Tectonic: this function is called twice in the xdvipdfmx driver init,
+   * resulting in a small amount of leaked memory. We statically initialize the
+   * stack variable to make it possible to safely avoid the leak in this
+   * situation. */
+
+  while ((gs = dpx_stack_pop(&gs_stack)) != NULL) {
+    clear_a_gstate(gs);
+    free(gs);
+  }
+
   dpx_stack_init(&gs_stack);
 
   gs = NEW(1, pdf_gstate);

fuzz/run-fuzzer.sh

@@ -1,4 +1,11 @@
 #!/usr/bin/env bash
+
+# NOTE: install `llvm-dev` or whichever package provides `llvm-symbolizer` if
+# you want your stack traces to have any useful information! Otherwise none of
+# the binary addresses are decoded when the fuzzer finds problems. You may also
+# need to add the `-D` flag to `cargo fuzz run` to get more meaningful
+# backtraces, at the expense of the fuzzer running much slower.
+
 set -e
 set -o pipefail
 HERE="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"