diff options
author | Tom Sepez <tsepez@chromium.org> | 2018-08-17 23:09:43 +0000 |
---|---|---|
committer | Chromium commit bot <commit-bot@chromium.org> | 2018-08-17 23:09:43 +0000 |
commit | a9d56105a725d223f87bd979ffbf61a8a2377c08 (patch) | |
tree | e450f3e0ccf185de7c4cbccd892eac6ed6fb360d | |
parent | cffa651acfa7ca1d90aecea728e94c5c3dcdfe79 (diff) | |
download | pdfium-chromium/3526.tar.xz |
Use more UnownedPtr<> in cpdf_renderstatus.h.chromium/3526
This immediately flags a case where a pointer from a heap object to
a caller's stack object is persisted past the caller's lifetime. Fix
it the simplest way via AutoRestorer<> so we'll get a nice safe segv
should it be used.
Change-Id: I554304b235e73c279fa0cd79c9e3ee0138be45f9
Reviewed-on: https://pdfium-review.googlesource.com/40592
Reviewed-by: Lei Zhang <thestig@chromium.org>
Commit-Queue: Tom Sepez <tsepez@chromium.org>
-rw-r--r-- | core/fpdfapi/render/cpdf_renderstatus.cpp | 16 | ||||
-rw-r--r-- | core/fpdfapi/render/cpdf_renderstatus.h | 4 |
2 files changed, 11 insertions, 9 deletions
diff --git a/core/fpdfapi/render/cpdf_renderstatus.cpp b/core/fpdfapi/render/cpdf_renderstatus.cpp index 5e554623df..2cbe495ce4 100644 --- a/core/fpdfapi/render/cpdf_renderstatus.cpp +++ b/core/fpdfapi/render/cpdf_renderstatus.cpp @@ -1228,7 +1228,7 @@ bool CPDF_RenderStatus::ProcessForm(const CPDF_FormObject* pFormObj, pFormDict ? pFormDict->GetDictFor("Resources") : nullptr; CPDF_RenderStatus status(m_pContext.Get(), m_pDevice); status.SetOptions(m_Options); - status.SetStopObject(m_pStopObj); + status.SetStopObject(m_pStopObj.Get()); status.SetTransparency(m_Transparency); status.SetDropObjects(m_bDropObjects); status.SetFormResource(pResources); @@ -1568,7 +1568,7 @@ bool CPDF_RenderStatus::ProcessTransparency(CPDF_PageObject* pPageObj, } CPDF_RenderStatus bitmap_render(m_pContext.Get(), &bitmap_device); bitmap_render.SetOptions(m_Options); - bitmap_render.SetStopObject(m_pStopObj); + bitmap_render.SetStopObject(m_pStopObj.Get()); bitmap_render.SetStdCS(true); bitmap_render.SetDropObjects(m_bDropObjects); bitmap_render.SetFormResource(pFormResource); @@ -1983,6 +1983,8 @@ void CPDF_RenderStatus::DrawTextPathWithPattern(const CPDF_TextObject* textobj, path.m_Bottom = textobj->m_Bottom; path.m_Right = textobj->m_Right; path.m_Top = textobj->m_Top; + + AutoRestorer<UnownedPtr<const CPDF_PageObject>> restorer2(&m_pCurObj); RenderSingleObject(&path, pObj2Device); return; } @@ -2058,8 +2060,8 @@ void CPDF_RenderStatus::DrawShading(const CPDF_ShadingPattern* pPattern, return; } CPDF_DeviceBuffer buffer; - buffer.Initialize(m_pContext.Get(), m_pDevice, clip_rect_bbox, m_pCurObj, - 150); + buffer.Initialize(m_pContext.Get(), m_pDevice, clip_rect_bbox, + m_pCurObj.Get(), 150); CFX_Matrix FinalMatrix = *pMatrix; FinalMatrix.Concat(*buffer.GetMatrix()); RetainPtr<CFX_DIBitmap> pBitmap = buffer.GetBitmap(); @@ -2479,9 +2481,9 @@ void CPDF_RenderStatus::CompositeDIBitmap( int back_top; FX_RECT rect(left, top, left + pDIBitmap->GetWidth(), top + pDIBitmap->GetHeight()); - RetainPtr<CFX_DIBitmap> pBackdrop = - GetBackdrop(m_pCurObj, rect, blend_mode > FXDIB_BLEND_NORMAL && bIsolated, - &back_left, &back_top); + RetainPtr<CFX_DIBitmap> pBackdrop = GetBackdrop( + m_pCurObj.Get(), rect, blend_mode > FXDIB_BLEND_NORMAL && bIsolated, + &back_left, &back_top); if (!pBackdrop) return; diff --git a/core/fpdfapi/render/cpdf_renderstatus.h b/core/fpdfapi/render/cpdf_renderstatus.h index a7e845f237..f6d58843c0 100644 --- a/core/fpdfapi/render/cpdf_renderstatus.h +++ b/core/fpdfapi/render/cpdf_renderstatus.h @@ -188,8 +188,8 @@ class CPDF_RenderStatus { CFX_RenderDevice* const m_pDevice; CFX_Matrix m_DeviceMatrix; CPDF_ClipPath m_LastClipPath; - const CPDF_PageObject* m_pCurObj = nullptr; - const CPDF_PageObject* m_pStopObj = nullptr; + UnownedPtr<const CPDF_PageObject> m_pCurObj; + UnownedPtr<const CPDF_PageObject> m_pStopObj; CPDF_GraphicStates m_InitialStates; std::unique_ptr<CPDF_ImageRenderer> m_pImageRenderer; CPDF_Transparency m_Transparency; |