diff options
author | Jun Fang <jun_fang@foxitsoftware.com> | 2014-08-05 02:38:22 -0700 |
---|---|---|
committer | Jun Fang <jun_fang@foxitsoftware.com> | 2014-08-05 02:38:22 -0700 |
commit | 1b9c5c4dc41956b8c5ab17b9a882adf8a2513768 (patch) | |
tree | 5ec68ec6965397b29bfe174894c021618db4c42e /core/src/fpdfapi/fpdf_page/fpdf_page_colors.cpp | |
parent | 06a8c8737b731d601af11cd9d61308c097cacc5f (diff) | |
download | pdfium-1b9c5c4dc41956b8c5ab17b9a882adf8a2513768.tar.xz |
The root cause of this issue is shown as below:
Patterns are managed in CPDF_DocPageData. When
a document is closed, all patterns will be
released in the deconstruction of CPDF_DocPageData.
However, some patterns which are referenced in
CPDF_Color can't get the notification from the
destroy of CPDF_DocPageData. It will cause
use-after-free in CPDF_Color::~CPDF_Color.
BUG=392719
R=tsepez@chromium.org
Review URL: https://codereview.chromium.org/439693002
Diffstat (limited to 'core/src/fpdfapi/fpdf_page/fpdf_page_colors.cpp')
-rw-r--r-- | core/src/fpdfapi/fpdf_page/fpdf_page_colors.cpp | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/core/src/fpdfapi/fpdf_page/fpdf_page_colors.cpp b/core/src/fpdfapi/fpdf_page/fpdf_page_colors.cpp index 1b7cb03ee2..8cd26fee37 100644 --- a/core/src/fpdfapi/fpdf_page/fpdf_page_colors.cpp +++ b/core/src/fpdfapi/fpdf_page/fpdf_page_colors.cpp @@ -1269,6 +1269,7 @@ void CPDF_Color::ReleaseBuffer() PatternValue* pvalue = (PatternValue*)m_pBuffer; CPDF_Pattern* pPattern = pvalue->m_pPattern; if (pPattern && pPattern->m_pDocument) { + pPattern->SaveColor(NULL); pPattern->m_pDocument->GetPageData()->ReleasePattern(pPattern->m_pPatternObj); } } @@ -1329,6 +1330,9 @@ void CPDF_Color::SetValue(CPDF_Pattern* pPattern, FX_FLOAT* comps, int ncomps) } pvalue->m_nComps = ncomps; pvalue->m_pPattern = pPattern; + if (pPattern) { + pPattern->SaveColor(this); + } if (ncomps) { FXSYS_memcpy32(pvalue->m_Comps, comps, ncomps * sizeof(FX_FLOAT)); } |