The root cause of this issue is shown as below:

Patterns are managed in CPDF_DocPageData. When
a document is closed, all patterns will be
released in the deconstruction of CPDF_DocPageData.
However, some patterns which are referenced in
CPDF_Color can't get the notification from the
destroy of CPDF_DocPageData. It will cause
use-after-free in CPDF_Color::~CPDF_Color.

BUG=392719
R=tsepez@chromium.org

Review URL: https://codereview.chromium.org/439693002

1 files changed, 12 insertions, 14 deletions

diff --git a/core/include/fpdfapi/fpdf_resource.h b/core/include/fpdfapi/fpdf_resource.h
index 7e9e412325..4ce4ddc8bb 100644
--- a/core/include/fpdfapi/fpdf_resource.h
+++ b/core/include/fpdfapi/fpdf_resource.h
@@ -730,27 +730,25 @@ protected:
 class CPDF_Pattern : public CFX_Object
 {
 public:
+   
+    virtual ~CPDF_Pattern();
+    void SaveColor(CPDF_Color* pColor) {m_pColor = pColor;}
 
-    virtual ~CPDF_Pattern() {}
+    CPDF_Object*                m_pPatternObj;
 
-    CPDF_Object*			m_pPatternObj;
+    int                         m_PatternType;
 
-    int						m_PatternType;
+    CFX_AffineMatrix            m_Pattern2Form;
+    CFX_AffineMatrix            m_ParentMatrix;
 
-    CFX_AffineMatrix		m_Pattern2Form;
-    CFX_AffineMatrix		m_ParentMatrix;
-
-    CPDF_Document*			m_pDocument;
+    CPDF_Document*              m_pDocument;
+    CPDF_Color*                 m_pColor;
 
 protected:
-
-    CPDF_Pattern(const CFX_AffineMatrix* pParentMatrix)
-    {
-        if (pParentMatrix) {
-            m_ParentMatrix = *pParentMatrix;
-        }
-    }
+    
+    CPDF_Pattern(const CFX_AffineMatrix* pParentMatrix);
 };
+
 class CPDF_TilingPattern : public CPDF_Pattern
 {
 public: