summaryrefslogtreecommitdiff
path: root/core/src
diff options
context:
space:
mode:
authorJun Fang <jun_fang@foxitsoftware.com>2015-12-09 19:08:59 -0800
committerJun Fang <jun_fang@foxitsoftware.com>2015-12-09 19:08:59 -0800
commit03ae07fabe4764ebb445d208fa199e285168ed25 (patch)
tree7d273d2efa430d0de46fe6e63b492efd75306cee /core/src
parentbd573f126f93acc2034be2df1c6f571670f76c35 (diff)
downloadpdfium-03ae07fabe4764ebb445d208fa199e285168ed25.tar.xz
Fix heap-use-after-free in FT_Stream_ReleaseFrame
BUG=452793,561478 R=tsepez@chromium.org Review URL: https://codereview.chromium.org/1512873002 .
Diffstat (limited to 'core/src')
-rw-r--r--core/src/fxge/ge/fx_ge_fontmap.cpp21
-rw-r--r--core/src/fxge/ge/text_int.h5
2 files changed, 18 insertions, 8 deletions
diff --git a/core/src/fxge/ge/fx_ge_fontmap.cpp b/core/src/fxge/ge/fx_ge_fontmap.cpp
index f16200a9ce..ecec77f2ce 100644
--- a/core/src/fxge/ge/fx_ge_fontmap.cpp
+++ b/core/src/fxge/ge/fx_ge_fontmap.cpp
@@ -437,10 +437,10 @@ CTTFontDesc::~CTTFontDesc() {
}
FX_Free(m_pFontData);
}
-FX_BOOL CTTFontDesc::ReleaseFace(FXFT_Face face) {
+int CTTFontDesc::ReleaseFace(FXFT_Face face) {
if (m_Type == 1) {
if (m_SingleFace.m_pFace != face) {
- return FALSE;
+ return -1;
}
} else if (m_Type == 2) {
int i;
@@ -449,15 +449,15 @@ FX_BOOL CTTFontDesc::ReleaseFace(FXFT_Face face) {
break;
}
if (i == 16) {
- return FALSE;
+ return -1;
}
}
m_RefCount--;
if (m_RefCount) {
- return FALSE;
+ return m_RefCount;
}
delete this;
- return TRUE;
+ return 0;
}
CFX_FontMgr::CFX_FontMgr() : m_FTLibrary(nullptr) {
@@ -621,13 +621,20 @@ void CFX_FontMgr::ReleaseFace(FXFT_Face face) {
if (!face) {
return;
}
+ FX_BOOL bNeedFaceDone = TRUE;
auto it = m_FaceMap.begin();
while (it != m_FaceMap.end()) {
auto temp = it++;
- if (temp->second->ReleaseFace(face)) {
+ int nRet = temp->second->ReleaseFace(face);
+ if (nRet == -1)
+ continue;
+ bNeedFaceDone = FALSE;
+ if (nRet == 0)
m_FaceMap.erase(temp);
- }
+ break;
}
+ if (bNeedFaceDone && !m_pBuiltinMapper->IsBuiltinFace(face))
+ FXFT_Done_Face(face);
}
bool CFX_FontMgr::GetBuiltinFont(size_t index,
diff --git a/core/src/fxge/ge/text_int.h b/core/src/fxge/ge/text_int.h
index f17cf7f18f..1b96cfbdd2 100644
--- a/core/src/fxge/ge/text_int.h
+++ b/core/src/fxge/ge/text_int.h
@@ -29,7 +29,10 @@ class CTTFontDesc {
m_RefCount = 0;
}
~CTTFontDesc();
- FX_BOOL ReleaseFace(FXFT_Face face);
+ // ret < 0, releaseface not appropriate for this object.
+ // ret == 0, object released
+ // ret > 0, object still alive, other referrers.
+ int ReleaseFace(FXFT_Face face);
int m_Type;
union {
struct {