type1-subset, cff-subset: Plugged 2 memory leaks

- _cairo_type1_font_subset_fini doesn't free font->cleartext
- _cairo_cff_font_create can exit without freeing font->font_name and/or
  font->data; _cairo_cff_font_load_opentype_cff is called to allocate
  font_name, then _cairo_cff_font_load_cff is called to allocate
  font->data, then _cairo_cff_font_load_cff's return status is checked
  and if it failed, it jumps to fail1. This can cause font_name to leak
  since the fail1 target only frees the font variable. In addition,
  _cairo_cff_font_load_cff can fail -after- allocating data, and then
  data won't be freed either.

Bug 56566

2 files changed, 5 insertions, 3 deletions

diff --git a/src/cairo-cff-subset.c b/src/cairo-cff-subset.c
index e3040fcf6..bd8d5b5f5 100644
--- a/src/cairo-cff-subset.c
+++ b/src/cairo-cff-subset.c
@@ -2787,7 +2787,7 @@ _cairo_cff_font_create (cairo_scaled_font_subset_t  *scaled_font_subset,
     if (backend->is_synthetic && backend->is_synthetic (scaled_font_subset->scaled_font))
 	return CAIRO_INT_STATUS_UNSUPPORTED;
 
-    font = malloc (sizeof (cairo_cff_font_t));
+    font = calloc (1, sizeof (cairo_cff_font_t));
     if (unlikely (font == NULL))
         return _cairo_error (CAIRO_STATUS_NO_MEMORY);
 
@@ -2862,11 +2862,11 @@ fail4:
 fail3:
     free (font->subset_font_name);
 fail2:
-    free (font->data);
-    free (font->font_name);
     free (font->ps_name);
     _cairo_array_fini (&font->output);
 fail1:
+    free (font->data);
+    free (font->font_name);
     free (font);
 
     return status;
diff --git a/src/cairo-type1-subset.c b/src/cairo-type1-subset.c
index dff4a953e..2ec56f157 100644
--- a/src/cairo-type1-subset.c
+++ b/src/cairo-type1-subset.c
@@ -1670,6 +1670,8 @@ _cairo_type1_font_subset_fini (cairo_type1_font_subset_t *font)
 
     free (font->subset_index_to_glyphs);
 
+    free (font->cleartext);
+
     return status;
 }