From 4ff09274a86102a69c6e7abebc59d694bc90bbcd Mon Sep 17 00:00:00 2001
From: Garret Rieger <grieger@google.com>
Date: Thu, 24 Nov 2022 22:47:29 +0000
Subject: [PATCH] [subset] In CFF accelerator keep a reference to original
 face.

The charstring objects reference memory from the original face so we need to maintain a reference to prevent it from being destroyed.
---
 src/hb-subset-cff-common.hh | 17 +++++++++++++++--
 1 file changed, 15 insertions(+), 2 deletions(-)

diff --git a/src/hb-subset-cff-common.hh b/src/hb-subset-cff-common.hh
index cd16348e4..44e4ee4c9 100644
--- a/src/hb-subset-cff-common.hh
+++ b/src/hb-subset-cff-common.hh
@@ -405,12 +405,14 @@ struct parsed_cs_str_vec_t : hb_vector_t<parsed_cs_str_t>
 struct cff_subset_accelerator_t
 {
   static cff_subset_accelerator_t* create(
+      hb_face_t* original_face,
       const parsed_cs_str_vec_t& parsed_charstrings,
       const parsed_cs_str_vec_t& parsed_global_subrs,
       const hb_vector_t<parsed_cs_str_vec_t>& parsed_local_subrs) {
     cff_subset_accelerator_t* accel =
         (cff_subset_accelerator_t*) hb_malloc (sizeof(cff_subset_accelerator_t));
-    new (accel) cff_subset_accelerator_t (parsed_charstrings,
+    new (accel) cff_subset_accelerator_t (original_face,
+                                          parsed_charstrings,
                                           parsed_global_subrs,
                                           parsed_local_subrs);
     return accel;
@@ -425,19 +427,29 @@ struct cff_subset_accelerator_t
   }
 
   cff_subset_accelerator_t(
+      hb_face_t* original_face_,
       const parsed_cs_str_vec_t& parsed_charstrings_,
       const parsed_cs_str_vec_t& parsed_global_subrs_,
       const hb_vector_t<parsed_cs_str_vec_t>& parsed_local_subrs_)
   {
+    // the parsed charstrings point to memory in the original face so we must hold a reference
+    // to it to keep the memory valid.
+    original_face = hb_face_reference (original_face_);
     parsed_charstrings = parsed_charstrings_;
     parsed_global_subrs = parsed_global_subrs_;
     parsed_local_subrs = parsed_local_subrs_;
   }
 
+  ~cff_subset_accelerator_t() {
+    hb_face_destroy (original_face);
+  }
+
   parsed_cs_str_vec_t parsed_charstrings;
   parsed_cs_str_vec_t parsed_global_subrs;
   hb_vector_t<parsed_cs_str_vec_t> parsed_local_subrs;
 
+ private:
+  hb_face_t* original_face;
 };
 
 struct subr_subset_param_t
@@ -983,7 +995,8 @@ struct subr_subsetter_t
     if (!plan->inprogress_accelerator) return;
 
     plan->inprogress_accelerator->cff_accelerator =
-        cff_subset_accelerator_t::create(parsed_charstrings,
+        cff_subset_accelerator_t::create(plan->source,
+                                         parsed_charstrings,
                                          parsed_global_subrs,
                                          parsed_local_subrs);