summaryrefslogtreecommitdiff
path: root/core/fxge/ge/cfx_cliprgn.cpp
diff options
context:
space:
mode:
authorTom Sepez <tsepez@chromium.org>2017-03-30 10:49:21 -0700
committerChromium commit bot <commit-bot@chromium.org>2017-03-30 18:06:48 +0000
commit2283daac0ec65185d952c6ce23282cfc0041d6bc (patch)
tree703c5c2cb5c1ccf0f609361b867a9592eca1128d /core/fxge/ge/cfx_cliprgn.cpp
parente2e1794d55a0890341eb4fe3e1d0ed80379f905a (diff)
downloadpdfium-2283daac0ec65185d952c6ce23282cfc0041d6bc.tar.xz
Protect against premature mask destruction in CFX_ClipRgn::IntersectRect
Assigning to m_Mask will invalidate the pMask argument if m_Mask itself is passed into the method. BUG=706346 Change-Id: Ieaac480eb9e857c3199fd539c23978fb7f372461 Reviewed-on: https://pdfium-review.googlesource.com/3376 Commit-Queue: dsinclair <dsinclair@chromium.org> Reviewed-by: dsinclair <dsinclair@chromium.org>
Diffstat (limited to 'core/fxge/ge/cfx_cliprgn.cpp')
-rw-r--r--core/fxge/ge/cfx_cliprgn.cpp3
1 files changed, 2 insertions, 1 deletions
diff --git a/core/fxge/ge/cfx_cliprgn.cpp b/core/fxge/ge/cfx_cliprgn.cpp
index 5193ce2944..037e658de9 100644
--- a/core/fxge/ge/cfx_cliprgn.cpp
+++ b/core/fxge/ge/cfx_cliprgn.cpp
@@ -50,13 +50,14 @@ void CFX_ClipRgn::IntersectMaskRect(FX_RECT rect,
m_Mask = pMask;
return;
}
+ CFX_RetainPtr<CFX_DIBitmap> pOldMask(pMask);
m_Mask = pdfium::MakeRetain<CFX_DIBitmap>();
m_Mask->Create(m_Box.Width(), m_Box.Height(), FXDIB_8bppMask);
for (int row = m_Box.top; row < m_Box.bottom; row++) {
uint8_t* dest_scan =
m_Mask->GetBuffer() + m_Mask->GetPitch() * (row - m_Box.top);
uint8_t* src_scan =
- pMask->GetBuffer() + pMask->GetPitch() * (row - mask_rect.top);
+ pOldMask->GetBuffer() + pOldMask->GetPitch() * (row - mask_rect.top);
for (int col = m_Box.left; col < m_Box.right; col++)
dest_scan[col - m_Box.left] = src_scan[col - mask_rect.left];
}