Fix UAF in CFGAS_FontMgr::FindFontchromium/3398

Fix an use-after-free issue which was introduced by commit 53279b1dcabae4913f7f0a58e741942e82ab7d59. Bug: chromium:832589 Change-Id: Id7da791c3aa2d71d0a9e56d062069f41b7eb48d1 Reviewed-on: https://pdfium-review.googlesource.com/30570 Commit-Queue: Lei Zhang <thestig@chromium.org> Reviewed-by: Lei Zhang <thestig@chromium.org>
author: Ke Liu <stackexploit@gmail.com> 2018-04-16 05:19:07 +0000
committer: Chromium commit bot <commit-bot@chromium.org> 2018-04-16 05:19:07 +0000
commit: d5624a47bcaad45f6fcb30ad03b6e474f5cee17e (patch)
tree: ddaaf60b6f0afa4bd2cfc499c7d9f41d7c06204c
parent: b71d24c1affe8648963ba5024b62e5dbf4479ae2 (diff)
download: pdfium-chromium/3398.tar.xz
1 files changed, 5 insertions, 1 deletions
diff --git a/xfa/fgas/font/cfgas_fontmgr.cpp b/xfa/fgas/font/cfgas_fontmgr.cpp
index b4e6bdc912..d7acc62eef 100644
--- a/xfa/fgas/font/cfgas_fontmgr.cpp
+++ b/xfa/fgas/font/cfgas_fontmgr.cpp
@@ -229,8 +229,12 @@ const FX_FONTDESCRIPTOR* CFGAS_FontMgr::FindFont(const wchar_t* pszFontFamily,
   if (!pszFontFamily)
     return nullptr;
 
+  // Use a named object to store the returned value of EnumGdiFonts() instead
+  // of using a temporary object. This can prevent use-after-free issues since
+  // pDesc may point to one of std::deque object's elements.
+  std::deque<FX_FONTDESCRIPTOR> namedFonts = EnumGdiFonts(pszFontFamily, wUnicode);
   params.pwsFamily = nullptr;
-  pDesc = MatchDefaultFont(&params, EnumGdiFonts(pszFontFamily, wUnicode));
+  pDesc = MatchDefaultFont(&params, namedFonts);
   if (!pDesc)
     return nullptr;
author	Ke Liu <stackexploit@gmail.com>	2018-04-16 05:19:07 +0000
committer	Chromium commit bot <commit-bot@chromium.org>	2018-04-16 05:19:07 +0000
commit	d5624a47bcaad45f6fcb30ad03b6e474f5cee17e (patch)
tree	ddaaf60b6f0afa4bd2cfc499c7d9f41d7c06204c
parent	b71d24c1affe8648963ba5024b62e5dbf4479ae2 (diff)
download	pdfium-chromium/3398.tar.xz