Avoid double drop of fz_html_tree upon exception in xml_to_boxes().

Upon exception xml_to_boxes() drops the fz_html_tree passed to it.

Consider the case where write_rich_content() calls fz_new_story()
to create a fz_story (which contains fz_html_tree). Upon
exception write_rich_content() drops the fz_story, but it also
calls fz_place_story() which ends up in convert_to_boxes(), which
calls xml_to_boxes(). If an exception is thrown here, then first
xml_to_boxes() will drop the fz_story's fz_html_tree, and later
write_rich_content() will also drop the same fz_story and its
fz_html_tree .

The only other function that calls xml_to_boxes() is
fz_parse_html_tree() which is only called by fz_parse_html()
which upon exception also drops the fz_html_tree is has created.

The conclusion is that the functions, write_rich_content() and
fz_parse_html_tree(), retain ownership of the fz_html_tree they
created, and consequently drop their fz_html_tree's upon
exception, while xml_to_boxes() erroneously assumes that it takes
ownership of the fz_html_tree passed to it.

The fix is to remove the drop from xml_to_boxes().

This fixes oss-fuzz issue 396958483.

diff --git a/source/html/html-parse.c b/source/html/html-parse.c
index 0302dc3e65ba018022385f1e56ba756bda0b5880..7c890ef059e6c8f6bf5a008e58138b2fafb6ba12 100644 (file)
--- a/source/html/html-parse.c
+++ b/source/html/html-parse.c
@@ -1752,8 +1752,6 @@ xml_to_boxes(fz_context *ctx, fz_html_font_set *set, fz_archive *zip, const char
                        fz_free(ctx, *rtitle);
                        *rtitle = NULL;
                }
-               /* Dropping the tree works regardless of whether the tree is part of an fz_html or not. */
-               fz_drop_html_tree(ctx, tree);
                fz_rethrow(ctx);
        }
 }