diff options
| author | tsepez <tsepez@chromium.org> | 2016-09-22 11:37:13 -0700 |
|---|---|---|
| committer | Commit bot <commit-bot@chromium.org> | 2016-09-22 11:37:13 -0700 |
| commit | fef62e1f2bbf064100e6e262a10653f2374bfd2b (patch) | |
| tree | 5532d2a9d2fd82a1c9ccdfc9141b65af60897313 /core/fxcrt/include | |
| parent | 8e0638b1531493e2d5fe3a603f4be60418c78bc4 (diff) | |
| download | pdfium-fef62e1f2bbf064100e6e262a10653f2374bfd2b.tar.xz | |
Null CPDF_CountedObj::m_pObj prior to deletion
This gives additional protection in case of re-entry. Also
make CFX_CountRef more robust in face of errors.
BUG=649229
Review-Url: https://codereview.chromium.org/2364673002
Diffstat (limited to 'core/fxcrt/include')
| -rw-r--r-- | core/fxcrt/include/cfx_count_ref.h | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/core/fxcrt/include/cfx_count_ref.h b/core/fxcrt/include/cfx_count_ref.h index d709efb67c..a879967b28 100644 --- a/core/fxcrt/include/cfx_count_ref.h +++ b/core/fxcrt/include/cfx_count_ref.h @@ -56,15 +56,22 @@ class CFX_CountRef { CountedObj(Args... params) : ObjClass(params...), m_RefCount(0) {} CountedObj(const CountedObj& src) : ObjClass(src), m_RefCount(0) {} + ~CountedObj() { m_RefCount = 0; } bool HasOneRef() const { return m_RefCount == 1; } void Retain() { m_RefCount++; } void Release() { - if (--m_RefCount <= 0) + ASSERT(m_RefCount); + if (--m_RefCount == 0) delete this; } private: + // To ensure ref counts do not overflow, consider the worst possible case: + // the entire address space contains nothing but pointers to this object. + // Since the count increments with each new pointer, the largest value is + // the number of pointers that can fit into the address space. The size of + // the address space itself is a good upper bound on it. intptr_t m_RefCount; }; |