summaryrefslogtreecommitdiff
path: root/core/src
diff options
context:
space:
mode:
authorJUN FANG <jun_fang@foxitsoftware.com>2015-04-17 11:46:08 -0700
committerJUN FANG <jun_fang@foxitsoftware.com>2015-04-17 11:46:08 -0700
commit3d9eb67ea0a5e110234a4576ad8d7e7305ba7074 (patch)
treeed8ff5566a52062fd73e8fdb4dd20e13581c7282 /core/src
parentf66cfd7369b3c12cd0ed4c47c49377ed01727abd (diff)
downloadpdfium-3d9eb67ea0a5e110234a4576ad8d7e7305ba7074.tar.xz
Fix an issue 'heap use after free'
This fix is for covering more scenarios. Some faces like Foxit defined faces and MM faces are managed in built-in manager. They are released in built-in manager not in fontMgr. BUG=452793 R=tsepez@chromium.org Review URL: https://codereview.chromium.org/1095733003
Diffstat (limited to 'core/src')
-rw-r--r--core/src/fxge/ge/fx_ge_fontmap.cpp36
1 files changed, 27 insertions, 9 deletions
diff --git a/core/src/fxge/ge/fx_ge_fontmap.cpp b/core/src/fxge/ge/fx_ge_fontmap.cpp
index 3230ea0ce1..9a8380b77e 100644
--- a/core/src/fxge/ge/fx_ge_fontmap.cpp
+++ b/core/src/fxge/ge/fx_ge_fontmap.cpp
@@ -36,11 +36,11 @@ CTTFontDesc::~CTTFontDesc()
FX_Free(m_pFontData);
}
}
-FX_BOOL CTTFontDesc::ReleaseFace(FXFT_Face face)
+FX_INT32 CTTFontDesc::ReleaseFace(FXFT_Face face)
{
if (m_Type == 1) {
if (m_SingleFace.m_pFace != face) {
- return FALSE;
+ return -1;
}
} else if (m_Type == 2) {
int i;
@@ -49,15 +49,15 @@ FX_BOOL CTTFontDesc::ReleaseFace(FXFT_Face face)
break;
}
if (i == 16) {
- return FALSE;
+ return -1;
}
}
m_RefCount --;
if (m_RefCount) {
- return FALSE;
+ return m_RefCount;
}
delete this;
- return TRUE;
+ return 0;
}
CFX_FontMgr::CFX_FontMgr()
{
@@ -394,18 +394,21 @@ void CFX_FontMgr::ReleaseFace(FXFT_Face face)
if (face == NULL) {
return;
}
- FX_BOOL bFaceDone = FALSE;
FX_POSITION pos = m_FaceMap.GetStartPosition();
+ FX_BOOL bNeedFaceDone = TRUE;
while(pos) {
CFX_ByteString Key;
CTTFontDesc* ttface;
m_FaceMap.GetNextAssoc(pos, Key, (void*&)ttface);
- if (ttface->ReleaseFace(face)) {
+ int nRet = ttface->ReleaseFace(face);
+ if (nRet == 0) {
m_FaceMap.RemoveKey(Key);
- bFaceDone = TRUE;
+ bNeedFaceDone = FALSE;
+ } else if (nRet > 0) {
+ bNeedFaceDone = FALSE;
}
}
- if (!bFaceDone) {
+ if (bNeedFaceDone && !m_pBuiltinMapper->IsBuiltinFace(face)) {
FXFT_Done_Face(face);
}
}
@@ -1341,6 +1344,21 @@ FXFT_Face CFX_FontMapper::FindSubstFontByUnicode(FX_DWORD dwUnicode, FX_DWORD fl
m_pFontInfo->DeleteFont(hFont);
return face;
}
+
+FX_BOOL CFX_FontMapper::IsBuiltinFace(const FXFT_Face face) const
+{
+ for (int i = 0; i < MM_FACE_COUNT; ++i) {
+ if (m_MMFaces[i] == face) {
+ return TRUE;
+ }
+ }
+ for (int i = 0; i < FOXIT_FACE_COUNT; ++i) {
+ if (m_FoxitFaces[i] == face) {
+ return TRUE;
+ }
+ }
+ return FALSE;
+}
extern "C" {
unsigned long _FTStreamRead(FXFT_Stream stream, unsigned long offset,
unsigned char* buffer, unsigned long count);