summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJun Fang <jun_fang@foxitsoftware.com>2015-12-09 19:20:30 -0800
committerJun Fang <jun_fang@foxitsoftware.com>2015-12-09 19:20:30 -0800
commit2b13af09bd788afbf9e9eecc5938820cdc037134 (patch)
tree7e8901cbc0869291ac430df8ffa53522757f1461
parent035359cd8ddb555fa33b6133db4fd405e4660712 (diff)
downloadpdfium-2b13af09bd788afbf9e9eecc5938820cdc037134.tar.xz
Merge to master: Fix heap-use-after-free in FT_Stream_ReleaseFrame
BUG=452793,561478 R=tsepez@chromium.org Review URL: https://codereview.chromium.org/1512873002 . Review URL: https://codereview.chromium.org/1508343004 .
-rw-r--r--core/src/fxge/ge/fx_ge_fontmap.cpp21
-rw-r--r--core/src/fxge/ge/text_int.h5
2 files changed, 18 insertions, 8 deletions
diff --git a/core/src/fxge/ge/fx_ge_fontmap.cpp b/core/src/fxge/ge/fx_ge_fontmap.cpp
index 6781369455..77f9486560 100644
--- a/core/src/fxge/ge/fx_ge_fontmap.cpp
+++ b/core/src/fxge/ge/fx_ge_fontmap.cpp
@@ -437,10 +437,10 @@ CTTFontDesc::~CTTFontDesc() {
}
FX_Free(m_pFontData);
}
-FX_BOOL CTTFontDesc::ReleaseFace(FXFT_Face face) {
+int CTTFontDesc::ReleaseFace(FXFT_Face face) {
if (m_Type == 1) {
if (m_SingleFace.m_pFace != face) {
- return FALSE;
+ return -1;
}
} else if (m_Type == 2) {
int i;
@@ -449,15 +449,15 @@ FX_BOOL CTTFontDesc::ReleaseFace(FXFT_Face face) {
break;
}
if (i == 16) {
- return FALSE;
+ return -1;
}
}
m_RefCount--;
if (m_RefCount) {
- return FALSE;
+ return m_RefCount;
}
delete this;
- return TRUE;
+ return 0;
}
CFX_FontMgr::CFX_FontMgr() : m_FTLibrary(nullptr) {
@@ -621,13 +621,20 @@ void CFX_FontMgr::ReleaseFace(FXFT_Face face) {
if (!face) {
return;
}
+ FX_BOOL bNeedFaceDone = TRUE;
auto it = m_FaceMap.begin();
while (it != m_FaceMap.end()) {
auto temp = it++;
- if (temp->second->ReleaseFace(face)) {
+ int nRet = temp->second->ReleaseFace(face);
+ if (nRet == -1)
+ continue;
+ bNeedFaceDone = FALSE;
+ if (nRet == 0)
m_FaceMap.erase(temp);
- }
+ break;
}
+ if (bNeedFaceDone && !m_pBuiltinMapper->IsBuiltinFace(face))
+ FXFT_Done_Face(face);
}
bool CFX_FontMgr::GetBuiltinFont(size_t index,
diff --git a/core/src/fxge/ge/text_int.h b/core/src/fxge/ge/text_int.h
index f17cf7f18f..1b96cfbdd2 100644
--- a/core/src/fxge/ge/text_int.h
+++ b/core/src/fxge/ge/text_int.h
@@ -29,7 +29,10 @@ class CTTFontDesc {
m_RefCount = 0;
}
~CTTFontDesc();
- FX_BOOL ReleaseFace(FXFT_Face face);
+ // ret < 0, releaseface not appropriate for this object.
+ // ret == 0, object released
+ // ret > 0, object still alive, other referrers.
+ int ReleaseFace(FXFT_Face face);
int m_Type;
union {
struct {