ofz: various use after free and related crashes in glyph cache

in a long lived fuzzer it eventually gets to garbage collect and the trouble
begins, this can be reproduced locally and faster by setting mnMaxSize to 1

I think since...

commit 0b6f2f3ff47b6f1455d213bee4b257542e527976
Date:   Mon Aug 13 14:50:13 2018 +0200

loplugin:useuniqueptr in GlyphCache

oss-fuzz stats show no instances of this until approx August 17th

Change-Id: I1809f3d50e339ccf51a10fa2d3098752d12bc248
Reviewed-on: https://gerrit.libreoffice.org/59496
Tested-by: Jenkins
Reviewed-by: Caolán McNamara <caolanm@redhat.com>
Tested-by: Caolán McNamara <caolanm@redhat.com>

1 files changed, 1 insertions, 2 deletions

diff --git a/vcl/unx/generic/glyphs/glyphcache.cxx b/vcl/unx/generic/glyphs/glyphcache.cxx
index cbdfbb1bb87d..c802df0e3cc0 100644
--- a/vcl/unx/generic/glyphs/glyphcache.cxx
+++ b/vcl/unx/generic/glyphs/glyphcache.cxx
@@ -266,7 +266,6 @@ void GlyphCache::GarbageCollect()
         pFreetypeFont->GarbageCollect( mnLruIndex+0x10000000 );
         if( pFreetypeFont == mpCurrentGCFont )
             mpCurrentGCFont = nullptr;
-        maFontList.erase(pFreetypeFont->GetFontInstance());
         mnBytesUsed -= pFreetypeFont->GetByteCount();
 
         // remove font from list of garbage collected fonts
@@ -277,7 +276,7 @@ void GlyphCache::GarbageCollect()
         if( pFreetypeFont == mpCurrentGCFont )
             mpCurrentGCFont = nullptr;
 
-        delete pFreetypeFont;
+        maFontList.erase(pFreetypeFont->GetFontInstance());
     }
 }