diff options
| author | art-snake <art-snake@yandex-team.ru> | 2016-09-19 11:51:29 -0700 |
|---|---|---|
| committer | Commit bot <commit-bot@chromium.org> | 2016-09-19 11:51:29 -0700 |
| commit | 52d6868075ff23d5081d4c0185c7619f4c084553 (patch) | |
| tree | f2175632a159d3c1ec8f623baf68eb45c793420f | |
| parent | b1a7134afb4fe5d47ebbc4f728cf97eaa173e9d0 (diff) | |
| download | pdfium-52d6868075ff23d5081d4c0185c7619f4c084553.tar.xz | |
Fix "heap use after free" bug.
BUG=647612
Review-Url: https://codereview.chromium.org/2350193003
| -rw-r--r-- | core/fpdfapi/fpdf_render/fpdf_render_image.cpp | 17 |
1 files changed, 10 insertions, 7 deletions
diff --git a/core/fpdfapi/fpdf_render/fpdf_render_image.cpp b/core/fpdfapi/fpdf_render/fpdf_render_image.cpp index 7ac5210291..7414f0a5de 100644 --- a/core/fpdfapi/fpdf_render/fpdf_render_image.cpp +++ b/core/fpdfapi/fpdf_render/fpdf_render_image.cpp @@ -990,19 +990,22 @@ CFX_DIBitmap* CPDF_RenderStatus::LoadSMask(CPDF_Dictionary* pSMaskDict, return nullptr; CFX_DIBitmap& bitmap = *bitmap_device.GetBitmap(); - CPDF_Object* pCSObj = nullptr; - CPDF_ColorSpace* pCS = nullptr; + int color_space_family = 0; if (bLuminosity) { CPDF_Array* pBC = pSMaskDict->GetArrayFor("BC"); FX_ARGB back_color = 0xff000000; if (pBC) { + CPDF_Object* pCSObj = nullptr; CPDF_Dictionary* pDict = pGroup->GetDict(); - if (pDict && pDict->GetDictFor("Group")) + if (pDict && pDict->GetDictFor("Group")) { pCSObj = pDict->GetDictFor("Group")->GetDirectObjectFor("CS"); - else - pCSObj = nullptr; - pCS = m_pContext->GetDocument()->LoadColorSpace(pCSObj); + } + const CPDF_ColorSpace* pCS = + m_pContext->GetDocument()->LoadColorSpace(pCSObj); if (pCS) { + // Store Color Space Family to use in CPDF_RenderStatus::Initialize. + color_space_family = pCS->GetFamily(); + FX_FLOAT R, G, B; uint32_t comps = 8; if (pCS->CountComponents() > comps) { @@ -1039,7 +1042,7 @@ CFX_DIBitmap* CPDF_RenderStatus::LoadSMask(CPDF_Dictionary* pSMaskDict, CPDF_RenderStatus status; status.Initialize(m_pContext, &bitmap_device, nullptr, nullptr, nullptr, nullptr, &options, 0, m_bDropObjects, pFormResource, TRUE, - nullptr, 0, pCS ? pCS->GetFamily() : 0, bLuminosity); + nullptr, 0, color_space_family, bLuminosity); status.RenderObjectList(&form, &matrix); std::unique_ptr<CFX_DIBitmap> pMask(new CFX_DIBitmap); if (!pMask->Create(width, height, FXDIB_8bppMask)) |