Avoid endless loop deleting CFGAS_GEFont.

It's a ref-counted class, so if we're in the destructor, the ref
count has hit zero. We can't make a new ref pointer to itself here,
as it will re-invoke the destructor when it goes out of scope. This
should have been an obvious anti-pattern in hindsight.

The object in question can't be in the m_pFontManager, since the font
manager retains a reference, and we wouldn't get to this destructor
while that is present. So the cleanup isn't required.

Fixing this revealed a free-delete mismatch in cxfa_textlayout.cpp.
I also converted to use unique_ptrs in a few places near this issue.

Fixing this revealed a UAF in CFGAS_GEFont, memcpy'ing a RetainPtr
is not a good idea as it doesn't bump the ref count.

Also protect and friend the CFGAS_GEFont destructor, to make sure
random deletes don't happen.

Also kill off a const cast, and remove unnecessary conversion to
retain_ptr when we already have one.

TEST=look for absence of -11 in XFA corpus test logs, bots not
     currently noticing the segv.  Argh.

Review-Url: https://codereview.chromium.org/2631703003

2 files changed, 7 insertions, 11 deletions

diff --git a/xfa/fgas/font/cfgas_gefont.cpp b/xfa/fgas/font/cfgas_gefont.cpp
index 49639c2005..d0e7f13c3a 100644
--- a/xfa/fgas/font/cfgas_gefont.cpp
+++ b/xfa/fgas/font/cfgas_gefont.cpp
@@ -27,8 +27,7 @@ CFX_RetainPtr<CFGAS_GEFont> CFGAS_GEFont::LoadFont(
   if (!pFontMgr)
     return nullptr;
 
-  return CFX_RetainPtr<CFGAS_GEFont>(
-      pFontMgr->GetFontByCodePage(wCodePage, dwFontStyles, pszFontFamily));
+  return pFontMgr->GetFontByCodePage(wCodePage, dwFontStyles, pszFontFamily);
 #else
   auto pFont = pdfium::MakeRetain<CFGAS_GEFont>(pFontMgr);
   if (!pFont->LoadFontInternal(pszFontFamily, dwFontStyles, wCodePage))
@@ -119,9 +118,6 @@ CFGAS_GEFont::CFGAS_GEFont(const CFX_RetainPtr<CFGAS_GEFont>& src,
 }
 
 CFGAS_GEFont::~CFGAS_GEFont() {
-  if (m_pFontMgr)
-    m_pFontMgr->RemoveFont(CFX_RetainPtr<CFGAS_GEFont>(this));
-
   if (!m_bExternalFont)
     delete m_pFont;
 }
@@ -429,10 +425,9 @@ int32_t CFGAS_GEFont::GetDescent() const {
   return m_pFont->GetDescent();
 }
 
-CFX_RetainPtr<CFGAS_GEFont> CFGAS_GEFont::GetSubstFont(
-    int32_t iGlyphIndex) const {
+CFX_RetainPtr<CFGAS_GEFont> CFGAS_GEFont::GetSubstFont(int32_t iGlyphIndex) {
   iGlyphIndex = static_cast<uint32_t>(iGlyphIndex) >> 24;
   if (iGlyphIndex == 0)
-    return CFX_RetainPtr<CFGAS_GEFont>(const_cast<CFGAS_GEFont*>(this));
+    return CFX_RetainPtr<CFGAS_GEFont>(this);
   return m_SubstFonts[iGlyphIndex - 1];
 }
diff --git a/xfa/fgas/font/cfgas_gefont.h b/xfa/fgas/font/cfgas_gefont.h
index de4f9639e0..6c9d890df4 100644
--- a/xfa/fgas/font/cfgas_gefont.h
+++ b/xfa/fgas/font/cfgas_gefont.h
@@ -24,6 +24,8 @@ class CXFA_PDFFontMgr;
 
 class CFGAS_GEFont : public CFX_Retainable {
  public:
+  template <typename T>
+  friend class CFX_RetainPtr;
   template <typename T, typename... Args>
   friend CFX_RetainPtr<T> pdfium::MakeRetain(Args&&... args);
 
@@ -46,8 +48,6 @@ class CFGAS_GEFont : public CFX_Retainable {
       bool bSaveStream);
 #endif
 
-  ~CFGAS_GEFont() override;
-
   CFX_RetainPtr<CFGAS_GEFont> Derive(uint32_t dwFontStyles,
                                      uint16_t wCodePage = 0);
   uint32_t GetFontStyles() const;
@@ -57,7 +57,7 @@ class CFGAS_GEFont : public CFX_Retainable {
   int32_t GetDescent() const;
   bool GetCharBBox(FX_WCHAR wUnicode, CFX_Rect* bbox, bool bCharCode = false);
   bool GetBBox(CFX_Rect* bbox);
-  CFX_RetainPtr<CFGAS_GEFont> GetSubstFont(int32_t iGlyphIndex) const;
+  CFX_RetainPtr<CFGAS_GEFont> GetSubstFont(int32_t iGlyphIndex);
   CFX_Font* GetDevFont() const { return m_pFont; }
   void SetFontProvider(CXFA_PDFFontMgr* pProvider) { m_pProvider = pProvider; }
 #if _FXM_PLATFORM_ != _FXM_PLATFORM_WINDOWS_
@@ -70,6 +70,7 @@ class CFGAS_GEFont : public CFX_Retainable {
  private:
   explicit CFGAS_GEFont(CFGAS_FontMgr* pFontMgr);
   CFGAS_GEFont(const CFX_RetainPtr<CFGAS_GEFont>& src, uint32_t dwFontStyles);
+  ~CFGAS_GEFont() override;
 
 #if _FXM_PLATFORM_ == _FXM_PLATFORM_WINDOWS_
   bool LoadFontInternal(const FX_WCHAR* pszFontFamily,