diff options
author | Ke Liu <stackexploit@gmail.com> | 2018-04-16 05:19:07 +0000 |
---|---|---|
committer | Chromium commit bot <commit-bot@chromium.org> | 2018-04-16 05:19:07 +0000 |
commit | d5624a47bcaad45f6fcb30ad03b6e474f5cee17e (patch) | |
tree | ddaaf60b6f0afa4bd2cfc499c7d9f41d7c06204c /xfa/fgas/font | |
parent | b71d24c1affe8648963ba5024b62e5dbf4479ae2 (diff) | |
download | pdfium-d5624a47bcaad45f6fcb30ad03b6e474f5cee17e.tar.xz |
Fix UAF in CFGAS_FontMgr::FindFontchromium/3398
Fix an use-after-free issue which was introduced by
commit 53279b1dcabae4913f7f0a58e741942e82ab7d59.
Bug: chromium:832589
Change-Id: Id7da791c3aa2d71d0a9e56d062069f41b7eb48d1
Reviewed-on: https://pdfium-review.googlesource.com/30570
Commit-Queue: Lei Zhang <thestig@chromium.org>
Reviewed-by: Lei Zhang <thestig@chromium.org>
Diffstat (limited to 'xfa/fgas/font')
-rw-r--r-- | xfa/fgas/font/cfgas_fontmgr.cpp | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/xfa/fgas/font/cfgas_fontmgr.cpp b/xfa/fgas/font/cfgas_fontmgr.cpp index b4e6bdc912..d7acc62eef 100644 --- a/xfa/fgas/font/cfgas_fontmgr.cpp +++ b/xfa/fgas/font/cfgas_fontmgr.cpp @@ -229,8 +229,12 @@ const FX_FONTDESCRIPTOR* CFGAS_FontMgr::FindFont(const wchar_t* pszFontFamily, if (!pszFontFamily) return nullptr; + // Use a named object to store the returned value of EnumGdiFonts() instead + // of using a temporary object. This can prevent use-after-free issues since + // pDesc may point to one of std::deque object's elements. + std::deque<FX_FONTDESCRIPTOR> namedFonts = EnumGdiFonts(pszFontFamily, wUnicode); params.pwsFamily = nullptr; - pDesc = MatchDefaultFont(¶ms, EnumGdiFonts(pszFontFamily, wUnicode)); + pDesc = MatchDefaultFont(¶ms, namedFonts); if (!pDesc) return nullptr; |