Convert to CFX_UnownedPtr, part 4.

Fix strange ownership issue in cpdf_type3char.cpp, and
describe the absolutely insane stuff happening there.

Change-Id: Iae70f9eca8f125ed3ef677729f1776ba9f10183c
Reviewed-on: https://pdfium-review.googlesource.com/5830
Reviewed-by: Lei Zhang <thestig@chromium.org>
Commit-Queue: Tom Sepez <tsepez@chromium.org>

1 files changed, 15 insertions, 4 deletions

diff --git a/core/fpdfapi/font/cpdf_type3char.cpp b/core/fpdfapi/font/cpdf_type3char.cpp
index d9794c27d3..e11193fdaa 100644
--- a/core/fpdfapi/font/cpdf_type3char.cpp
+++ b/core/fpdfapi/font/cpdf_type3char.cpp
@@ -31,10 +31,21 @@ bool CPDF_Type3Char::LoadBitmap(CPDF_RenderContext* pContext) {
     return false;
 
   m_ImageMatrix = pPageObj->AsImage()->matrix();
-  CFX_RetainPtr<CFX_DIBSource> pSource =
-      pPageObj->AsImage()->GetImage()->LoadDIBSource();
-  if (pSource)
-    m_pBitmap = pSource->Clone(nullptr);
+  {
+    // |pSource| actually gets assigned a CPDF_DIBSource, which has pointers
+    // into objects owned by |m_pForm|. Make sure it is out of scope before
+    // clearing the form.
+    CFX_RetainPtr<CFX_DIBSource> pSource =
+        pPageObj->AsImage()->GetImage()->LoadDIBSource();
+
+    // Clone() is non-virtual, and can't be overloaded by CPDF_DIBSource to
+    // return a clone of the subclass as one would typically expect from a
+    // such a method. Instead, it only clones the CFX_DIBSource, none of whose
+    // members point to objects owned by the form. As a result, |m_pBitmap|
+    // may outlive |m_pForm|.
+    if (pSource)
+      m_pBitmap = pSource->Clone(nullptr);
+  }
   m_pForm.reset();
   return true;
 }