diff options
| author | Jun Fang <jun_fang@foxitsoftware.com> | 2014-08-05 02:38:22 -0700 |
|---|---|---|
| committer | Jun Fang <jun_fang@foxitsoftware.com> | 2014-08-05 02:38:22 -0700 |
| commit | 1b9c5c4dc41956b8c5ab17b9a882adf8a2513768 (patch) | |
| tree | 5ec68ec6965397b29bfe174894c021618db4c42e | |
| parent | 06a8c8737b731d601af11cd9d61308c097cacc5f (diff) | |
| download | pdfium-1b9c5c4dc41956b8c5ab17b9a882adf8a2513768.tar.xz | |
The root cause of this issue is shown as below:
Patterns are managed in CPDF_DocPageData. When
a document is closed, all patterns will be
released in the deconstruction of CPDF_DocPageData.
However, some patterns which are referenced in
CPDF_Color can't get the notification from the
destroy of CPDF_DocPageData. It will cause
use-after-free in CPDF_Color::~CPDF_Color.
BUG=392719
R=tsepez@chromium.org
Review URL: https://codereview.chromium.org/439693002
| -rw-r--r-- | core/include/fpdfapi/fpdf_resource.h | 26 | ||||
| -rw-r--r-- | core/src/fpdfapi/fpdf_page/fpdf_page_colors.cpp | 4 | ||||
| -rw-r--r-- | core/src/fpdfapi/fpdf_page/fpdf_page_pattern.cpp | 17 |
3 files changed, 33 insertions, 14 deletions
diff --git a/core/include/fpdfapi/fpdf_resource.h b/core/include/fpdfapi/fpdf_resource.h index 7e9e412325..4ce4ddc8bb 100644 --- a/core/include/fpdfapi/fpdf_resource.h +++ b/core/include/fpdfapi/fpdf_resource.h @@ -730,27 +730,25 @@ protected: class CPDF_Pattern : public CFX_Object { public: + + virtual ~CPDF_Pattern(); + void SaveColor(CPDF_Color* pColor) {m_pColor = pColor;} - virtual ~CPDF_Pattern() {} + CPDF_Object* m_pPatternObj; - CPDF_Object* m_pPatternObj; + int m_PatternType; - int m_PatternType; + CFX_AffineMatrix m_Pattern2Form; + CFX_AffineMatrix m_ParentMatrix; - CFX_AffineMatrix m_Pattern2Form; - CFX_AffineMatrix m_ParentMatrix; - - CPDF_Document* m_pDocument; + CPDF_Document* m_pDocument; + CPDF_Color* m_pColor; protected: - - CPDF_Pattern(const CFX_AffineMatrix* pParentMatrix) - { - if (pParentMatrix) { - m_ParentMatrix = *pParentMatrix; - } - } + + CPDF_Pattern(const CFX_AffineMatrix* pParentMatrix); }; + class CPDF_TilingPattern : public CPDF_Pattern { public: diff --git a/core/src/fpdfapi/fpdf_page/fpdf_page_colors.cpp b/core/src/fpdfapi/fpdf_page/fpdf_page_colors.cpp index 1b7cb03ee2..8cd26fee37 100644 --- a/core/src/fpdfapi/fpdf_page/fpdf_page_colors.cpp +++ b/core/src/fpdfapi/fpdf_page/fpdf_page_colors.cpp @@ -1269,6 +1269,7 @@ void CPDF_Color::ReleaseBuffer() PatternValue* pvalue = (PatternValue*)m_pBuffer; CPDF_Pattern* pPattern = pvalue->m_pPattern; if (pPattern && pPattern->m_pDocument) { + pPattern->SaveColor(NULL); pPattern->m_pDocument->GetPageData()->ReleasePattern(pPattern->m_pPatternObj); } } @@ -1329,6 +1330,9 @@ void CPDF_Color::SetValue(CPDF_Pattern* pPattern, FX_FLOAT* comps, int ncomps) } pvalue->m_nComps = ncomps; pvalue->m_pPattern = pPattern; + if (pPattern) { + pPattern->SaveColor(this); + } if (ncomps) { FXSYS_memcpy32(pvalue->m_Comps, comps, ncomps * sizeof(FX_FLOAT)); } diff --git a/core/src/fpdfapi/fpdf_page/fpdf_page_pattern.cpp b/core/src/fpdfapi/fpdf_page/fpdf_page_pattern.cpp index 8cb6dc77dc..c7c1e7a565 100644 --- a/core/src/fpdfapi/fpdf_page/fpdf_page_pattern.cpp +++ b/core/src/fpdfapi/fpdf_page/fpdf_page_pattern.cpp @@ -6,6 +6,22 @@ #include "../../../include/fpdfapi/fpdf_page.h" #include "pageint.h" + +CPDF_Pattern::CPDF_Pattern(const CFX_AffineMatrix* pParentMatrix) : + m_pPatternObj(NULL), m_PatternType(PATTERN_TILING), m_pDocument(NULL), m_pColor(NULL) +{ + if (pParentMatrix) { + m_ParentMatrix = *pParentMatrix; + } +} + +CPDF_Pattern::~CPDF_Pattern() +{ + if (m_pColor) { + m_pColor->SetValue(NULL, NULL, 0); + m_pColor = NULL; + } +} CPDF_TilingPattern::CPDF_TilingPattern(CPDF_Document* pDoc, CPDF_Object* pPatternObj, const CFX_AffineMatrix* parentMatrix) : CPDF_Pattern(parentMatrix) { @@ -25,6 +41,7 @@ CPDF_TilingPattern::~CPDF_TilingPattern() { if (m_pForm) { delete m_pForm; + m_pForm = NULL; } } FX_BOOL CPDF_TilingPattern::Load() |