summaryrefslogtreecommitdiff
path: root/core/include/fpdfapi
diff options
context:
space:
mode:
authorJun Fang <jun_fang@foxitsoftware.com>2014-08-05 02:38:22 -0700
committerJun Fang <jun_fang@foxitsoftware.com>2014-08-05 02:38:22 -0700
commit1b9c5c4dc41956b8c5ab17b9a882adf8a2513768 (patch)
tree5ec68ec6965397b29bfe174894c021618db4c42e /core/include/fpdfapi
parent06a8c8737b731d601af11cd9d61308c097cacc5f (diff)
downloadpdfium-1b9c5c4dc41956b8c5ab17b9a882adf8a2513768.tar.xz
The root cause of this issue is shown as below:
Patterns are managed in CPDF_DocPageData. When a document is closed, all patterns will be released in the deconstruction of CPDF_DocPageData. However, some patterns which are referenced in CPDF_Color can't get the notification from the destroy of CPDF_DocPageData. It will cause use-after-free in CPDF_Color::~CPDF_Color. BUG=392719 R=tsepez@chromium.org Review URL: https://codereview.chromium.org/439693002
Diffstat (limited to 'core/include/fpdfapi')
-rw-r--r--core/include/fpdfapi/fpdf_resource.h26
1 files changed, 12 insertions, 14 deletions
diff --git a/core/include/fpdfapi/fpdf_resource.h b/core/include/fpdfapi/fpdf_resource.h
index 7e9e412325..4ce4ddc8bb 100644
--- a/core/include/fpdfapi/fpdf_resource.h
+++ b/core/include/fpdfapi/fpdf_resource.h
@@ -730,27 +730,25 @@ protected:
class CPDF_Pattern : public CFX_Object
{
public:
+
+ virtual ~CPDF_Pattern();
+ void SaveColor(CPDF_Color* pColor) {m_pColor = pColor;}
- virtual ~CPDF_Pattern() {}
+ CPDF_Object* m_pPatternObj;
- CPDF_Object* m_pPatternObj;
+ int m_PatternType;
- int m_PatternType;
+ CFX_AffineMatrix m_Pattern2Form;
+ CFX_AffineMatrix m_ParentMatrix;
- CFX_AffineMatrix m_Pattern2Form;
- CFX_AffineMatrix m_ParentMatrix;
-
- CPDF_Document* m_pDocument;
+ CPDF_Document* m_pDocument;
+ CPDF_Color* m_pColor;
protected:
-
- CPDF_Pattern(const CFX_AffineMatrix* pParentMatrix)
- {
- if (pParentMatrix) {
- m_ParentMatrix = *pParentMatrix;
- }
- }
+
+ CPDF_Pattern(const CFX_AffineMatrix* pParentMatrix);
};
+
class CPDF_TilingPattern : public CPDF_Pattern
{
public: