diff options
author | Tom Sepez <tsepez@chromium.org> | 2017-03-30 10:49:21 -0700 |
---|---|---|
committer | Chromium commit bot <commit-bot@chromium.org> | 2017-03-30 18:06:48 +0000 |
commit | 2283daac0ec65185d952c6ce23282cfc0041d6bc (patch) | |
tree | 703c5c2cb5c1ccf0f609361b867a9592eca1128d /core/fxge/ge/cfx_cliprgn.cpp | |
parent | e2e1794d55a0890341eb4fe3e1d0ed80379f905a (diff) | |
download | pdfium-2283daac0ec65185d952c6ce23282cfc0041d6bc.tar.xz |
Protect against premature mask destruction in CFX_ClipRgn::IntersectRect
Assigning to m_Mask will invalidate the pMask argument if m_Mask itself
is passed into the method.
BUG=706346
Change-Id: Ieaac480eb9e857c3199fd539c23978fb7f372461
Reviewed-on: https://pdfium-review.googlesource.com/3376
Commit-Queue: dsinclair <dsinclair@chromium.org>
Reviewed-by: dsinclair <dsinclair@chromium.org>
Diffstat (limited to 'core/fxge/ge/cfx_cliprgn.cpp')
-rw-r--r-- | core/fxge/ge/cfx_cliprgn.cpp | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/core/fxge/ge/cfx_cliprgn.cpp b/core/fxge/ge/cfx_cliprgn.cpp index 5193ce2944..037e658de9 100644 --- a/core/fxge/ge/cfx_cliprgn.cpp +++ b/core/fxge/ge/cfx_cliprgn.cpp @@ -50,13 +50,14 @@ void CFX_ClipRgn::IntersectMaskRect(FX_RECT rect, m_Mask = pMask; return; } + CFX_RetainPtr<CFX_DIBitmap> pOldMask(pMask); m_Mask = pdfium::MakeRetain<CFX_DIBitmap>(); m_Mask->Create(m_Box.Width(), m_Box.Height(), FXDIB_8bppMask); for (int row = m_Box.top; row < m_Box.bottom; row++) { uint8_t* dest_scan = m_Mask->GetBuffer() + m_Mask->GetPitch() * (row - m_Box.top); uint8_t* src_scan = - pMask->GetBuffer() + pMask->GetPitch() * (row - mask_rect.top); + pOldMask->GetBuffer() + pOldMask->GetPitch() * (row - mask_rect.top); for (int col = m_Box.left; col < m_Box.right; col++) dest_scan[col - m_Box.left] = src_scan[col - mask_rect.left]; } |