Avoid endless loop deleting CFGAS_GEFont.

It's a ref-counted class, so if we're in the destructor, the ref
count has hit zero. We can't make a new ref pointer to itself here,
as it will re-invoke the destructor when it goes out of scope. This
should have been an obvious anti-pattern in hindsight.

The object in question can't be in the m_pFontManager, since the font
manager retains a reference, and we wouldn't get to this destructor
while that is present. So the cleanup isn't required.

Fixing this revealed a free-delete mismatch in cxfa_textlayout.cpp.
I also converted to use unique_ptrs in a few places near this issue.

Fixing this revealed a UAF in CFGAS_GEFont, memcpy'ing a RetainPtr
is not a good idea as it doesn't bump the ref count.

Also protect and friend the CFGAS_GEFont destructor, to make sure
random deletes don't happen.

Also kill off a const cast, and remove unnecessary conversion to
retain_ptr when we already have one.

TEST=look for absence of -11 in XFA corpus test logs, bots not
     currently noticing the segv.  Argh.

Review-Url: https://codereview.chromium.org/2631703003

1 files changed, 4 insertions, 1 deletions

diff --git a/xfa/fxfa/app/cxfa_pieceline.h b/xfa/fxfa/app/cxfa_pieceline.h
index 48dfdae04d..3e6bb99876 100644
--- a/xfa/fxfa/app/cxfa_pieceline.h
+++ b/xfa/fxfa/app/cxfa_pieceline.h
@@ -7,6 +7,9 @@
 #ifndef XFA_FXFA_APP_CXFA_PIECELINE_H_
 #define XFA_FXFA_APP_CXFA_PIECELINE_H_
 
+#include <memory>
+#include <vector>
+
 #include "core/fxcrt/fx_basic.h"
 
 class XFA_TextPiece;
@@ -16,7 +19,7 @@ class CXFA_PieceLine {
   CXFA_PieceLine();
   ~CXFA_PieceLine();
 
-  CFX_ArrayTemplate<XFA_TextPiece*> m_textPieces;
+  std::vector<std::unique_ptr<XFA_TextPiece>> m_textPieces;
   CFX_ArrayTemplate<int32_t> m_charCounts;
 };