diff options
author | JUN FANG <jun_fang@foxitsoftware.com> | 2015-04-17 11:46:08 -0700 |
---|---|---|
committer | JUN FANG <jun_fang@foxitsoftware.com> | 2015-04-17 11:46:08 -0700 |
commit | 3d9eb67ea0a5e110234a4576ad8d7e7305ba7074 (patch) | |
tree | ed8ff5566a52062fd73e8fdb4dd20e13581c7282 /core/src/fxge/ge | |
parent | f66cfd7369b3c12cd0ed4c47c49377ed01727abd (diff) | |
download | pdfium-3d9eb67ea0a5e110234a4576ad8d7e7305ba7074.tar.xz |
Fix an issue 'heap use after free'
This fix is for covering more scenarios. Some faces like Foxit defined faces and MM faces are managed in built-in manager. They are released in built-in manager not in fontMgr.
BUG=452793
R=tsepez@chromium.org
Review URL: https://codereview.chromium.org/1095733003
Diffstat (limited to 'core/src/fxge/ge')
-rw-r--r-- | core/src/fxge/ge/fx_ge_fontmap.cpp | 36 |
1 files changed, 27 insertions, 9 deletions
diff --git a/core/src/fxge/ge/fx_ge_fontmap.cpp b/core/src/fxge/ge/fx_ge_fontmap.cpp index 3230ea0ce1..9a8380b77e 100644 --- a/core/src/fxge/ge/fx_ge_fontmap.cpp +++ b/core/src/fxge/ge/fx_ge_fontmap.cpp @@ -36,11 +36,11 @@ CTTFontDesc::~CTTFontDesc() FX_Free(m_pFontData); } } -FX_BOOL CTTFontDesc::ReleaseFace(FXFT_Face face) +FX_INT32 CTTFontDesc::ReleaseFace(FXFT_Face face) { if (m_Type == 1) { if (m_SingleFace.m_pFace != face) { - return FALSE; + return -1; } } else if (m_Type == 2) { int i; @@ -49,15 +49,15 @@ FX_BOOL CTTFontDesc::ReleaseFace(FXFT_Face face) break; } if (i == 16) { - return FALSE; + return -1; } } m_RefCount --; if (m_RefCount) { - return FALSE; + return m_RefCount; } delete this; - return TRUE; + return 0; } CFX_FontMgr::CFX_FontMgr() { @@ -394,18 +394,21 @@ void CFX_FontMgr::ReleaseFace(FXFT_Face face) if (face == NULL) { return; } - FX_BOOL bFaceDone = FALSE; FX_POSITION pos = m_FaceMap.GetStartPosition(); + FX_BOOL bNeedFaceDone = TRUE; while(pos) { CFX_ByteString Key; CTTFontDesc* ttface; m_FaceMap.GetNextAssoc(pos, Key, (void*&)ttface); - if (ttface->ReleaseFace(face)) { + int nRet = ttface->ReleaseFace(face); + if (nRet == 0) { m_FaceMap.RemoveKey(Key); - bFaceDone = TRUE; + bNeedFaceDone = FALSE; + } else if (nRet > 0) { + bNeedFaceDone = FALSE; } } - if (!bFaceDone) { + if (bNeedFaceDone && !m_pBuiltinMapper->IsBuiltinFace(face)) { FXFT_Done_Face(face); } } @@ -1341,6 +1344,21 @@ FXFT_Face CFX_FontMapper::FindSubstFontByUnicode(FX_DWORD dwUnicode, FX_DWORD fl m_pFontInfo->DeleteFont(hFont);
return face;
}
+ +FX_BOOL CFX_FontMapper::IsBuiltinFace(const FXFT_Face face) const +{ + for (int i = 0; i < MM_FACE_COUNT; ++i) { + if (m_MMFaces[i] == face) { + return TRUE; + } + } + for (int i = 0; i < FOXIT_FACE_COUNT; ++i) { + if (m_FoxitFaces[i] == face) { + return TRUE; + } + } + return FALSE; +} extern "C" { unsigned long _FTStreamRead(FXFT_Stream stream, unsigned long offset, unsigned char* buffer, unsigned long count); |