summaryrefslogtreecommitdiff
path: root/core
diff options
context:
space:
mode:
authorTom Sepez <tsepez@chromium.org>2018-08-17 23:09:43 +0000
committerChromium commit bot <commit-bot@chromium.org>2018-08-17 23:09:43 +0000
commita9d56105a725d223f87bd979ffbf61a8a2377c08 (patch)
treee450f3e0ccf185de7c4cbccd892eac6ed6fb360d /core
parentcffa651acfa7ca1d90aecea728e94c5c3dcdfe79 (diff)
downloadpdfium-a9d56105a725d223f87bd979ffbf61a8a2377c08.tar.xz
Use more UnownedPtr<> in cpdf_renderstatus.h.chromium/3526
This immediately flags a case where a pointer from a heap object to a caller's stack object is persisted past the caller's lifetime. Fix it the simplest way via AutoRestorer<> so we'll get a nice safe segv should it be used. Change-Id: I554304b235e73c279fa0cd79c9e3ee0138be45f9 Reviewed-on: https://pdfium-review.googlesource.com/40592 Reviewed-by: Lei Zhang <thestig@chromium.org> Commit-Queue: Tom Sepez <tsepez@chromium.org>
Diffstat (limited to 'core')
-rw-r--r--core/fpdfapi/render/cpdf_renderstatus.cpp16
-rw-r--r--core/fpdfapi/render/cpdf_renderstatus.h4
2 files changed, 11 insertions, 9 deletions
diff --git a/core/fpdfapi/render/cpdf_renderstatus.cpp b/core/fpdfapi/render/cpdf_renderstatus.cpp
index 5e554623df..2cbe495ce4 100644
--- a/core/fpdfapi/render/cpdf_renderstatus.cpp
+++ b/core/fpdfapi/render/cpdf_renderstatus.cpp
@@ -1228,7 +1228,7 @@ bool CPDF_RenderStatus::ProcessForm(const CPDF_FormObject* pFormObj,
pFormDict ? pFormDict->GetDictFor("Resources") : nullptr;
CPDF_RenderStatus status(m_pContext.Get(), m_pDevice);
status.SetOptions(m_Options);
- status.SetStopObject(m_pStopObj);
+ status.SetStopObject(m_pStopObj.Get());
status.SetTransparency(m_Transparency);
status.SetDropObjects(m_bDropObjects);
status.SetFormResource(pResources);
@@ -1568,7 +1568,7 @@ bool CPDF_RenderStatus::ProcessTransparency(CPDF_PageObject* pPageObj,
}
CPDF_RenderStatus bitmap_render(m_pContext.Get(), &bitmap_device);
bitmap_render.SetOptions(m_Options);
- bitmap_render.SetStopObject(m_pStopObj);
+ bitmap_render.SetStopObject(m_pStopObj.Get());
bitmap_render.SetStdCS(true);
bitmap_render.SetDropObjects(m_bDropObjects);
bitmap_render.SetFormResource(pFormResource);
@@ -1983,6 +1983,8 @@ void CPDF_RenderStatus::DrawTextPathWithPattern(const CPDF_TextObject* textobj,
path.m_Bottom = textobj->m_Bottom;
path.m_Right = textobj->m_Right;
path.m_Top = textobj->m_Top;
+
+ AutoRestorer<UnownedPtr<const CPDF_PageObject>> restorer2(&m_pCurObj);
RenderSingleObject(&path, pObj2Device);
return;
}
@@ -2058,8 +2060,8 @@ void CPDF_RenderStatus::DrawShading(const CPDF_ShadingPattern* pPattern,
return;
}
CPDF_DeviceBuffer buffer;
- buffer.Initialize(m_pContext.Get(), m_pDevice, clip_rect_bbox, m_pCurObj,
- 150);
+ buffer.Initialize(m_pContext.Get(), m_pDevice, clip_rect_bbox,
+ m_pCurObj.Get(), 150);
CFX_Matrix FinalMatrix = *pMatrix;
FinalMatrix.Concat(*buffer.GetMatrix());
RetainPtr<CFX_DIBitmap> pBitmap = buffer.GetBitmap();
@@ -2479,9 +2481,9 @@ void CPDF_RenderStatus::CompositeDIBitmap(
int back_top;
FX_RECT rect(left, top, left + pDIBitmap->GetWidth(),
top + pDIBitmap->GetHeight());
- RetainPtr<CFX_DIBitmap> pBackdrop =
- GetBackdrop(m_pCurObj, rect, blend_mode > FXDIB_BLEND_NORMAL && bIsolated,
- &back_left, &back_top);
+ RetainPtr<CFX_DIBitmap> pBackdrop = GetBackdrop(
+ m_pCurObj.Get(), rect, blend_mode > FXDIB_BLEND_NORMAL && bIsolated,
+ &back_left, &back_top);
if (!pBackdrop)
return;
diff --git a/core/fpdfapi/render/cpdf_renderstatus.h b/core/fpdfapi/render/cpdf_renderstatus.h
index a7e845f237..f6d58843c0 100644
--- a/core/fpdfapi/render/cpdf_renderstatus.h
+++ b/core/fpdfapi/render/cpdf_renderstatus.h
@@ -188,8 +188,8 @@ class CPDF_RenderStatus {
CFX_RenderDevice* const m_pDevice;
CFX_Matrix m_DeviceMatrix;
CPDF_ClipPath m_LastClipPath;
- const CPDF_PageObject* m_pCurObj = nullptr;
- const CPDF_PageObject* m_pStopObj = nullptr;
+ UnownedPtr<const CPDF_PageObject> m_pCurObj;
+ UnownedPtr<const CPDF_PageObject> m_pStopObj;
CPDF_GraphicStates m_InitialStates;
std::unique_ptr<CPDF_ImageRenderer> m_pImageRenderer;
CPDF_Transparency m_Transparency;