Fix a potential UAF with FPDFAvail_IsLinearized().

Cache the linearized result rather than recalculating it.

BUG=608778

Review-Url: https://codereview.chromium.org/1968743002

1 files changed, 8 insertions, 4 deletions

diff --git a/core/fpdfapi/fpdf_parser/cpdf_hint_tables.h b/core/fpdfapi/fpdf_parser/cpdf_hint_tables.h
index 28ccccb6fc..33b6b39323 100644
--- a/core/fpdfapi/fpdf_parser/cpdf_hint_tables.h
+++ b/core/fpdfapi/fpdf_parser/cpdf_hint_tables.h
@@ -21,8 +21,8 @@ class CPDF_Stream;
 class CPDF_HintTables {
  public:
   CPDF_HintTables(CPDF_DataAvail* pDataAvail, CPDF_Dictionary* pLinearized)
-      : m_pLinearizedDict(pLinearized),
-        m_pDataAvail(pDataAvail),
+      : m_pDataAvail(pDataAvail),
+        m_pLinearizedDict(pLinearized),
         m_nFirstPageSharedObjs(0),
         m_szFirstPageObjOffset(0) {}
   ~CPDF_HintTables();
@@ -47,8 +47,12 @@ class CPDF_HintTables {
   int ReadPrimaryHintStreamOffset() const;
   int ReadPrimaryHintStreamLength() const;
 
-  CPDF_Dictionary* m_pLinearizedDict;
-  CPDF_DataAvail* m_pDataAvail;
+  // Owner, outlives this object.
+  CPDF_DataAvail* const m_pDataAvail;
+
+  // Owned by |m_pDataAvail|.
+  CPDF_Dictionary* const m_pLinearizedDict;
+
   uint32_t m_nFirstPageSharedObjs;
   FX_FILESIZE m_szFirstPageObjOffset;
   CFX_ArrayTemplate<uint32_t> m_dwDeltaNObjsArray;