diff options
| author | tsepez <tsepez@chromium.org> | 2017-01-17 11:05:57 -0800 |
|---|---|---|
| committer | Commit bot <commit-bot@chromium.org> | 2017-01-17 11:05:57 -0800 |
| commit | 783a7e048c677d26aaf3884304627bbe27cff546 (patch) | |
| tree | b03feaa32114472f54855c1b702e5bfda28d2be1 /xfa/fxfa/app/cxfa_textlayout.h | |
| parent | b9fbe6e9af590a91ab030d2523a147e972816b32 (diff) | |
| download | pdfium-783a7e048c677d26aaf3884304627bbe27cff546.tar.xz | |
Avoid endless loop deleting CFGAS_GEFont.
It's a ref-counted class, so if we're in the destructor, the ref
count has hit zero. We can't make a new ref pointer to itself here,
as it will re-invoke the destructor when it goes out of scope. This
should have been an obvious anti-pattern in hindsight.
The object in question can't be in the m_pFontManager, since the font
manager retains a reference, and we wouldn't get to this destructor
while that is present. So the cleanup isn't required.
Fixing this revealed a free-delete mismatch in cxfa_textlayout.cpp.
I also converted to use unique_ptrs in a few places near this issue.
Fixing this revealed a UAF in CFGAS_GEFont, memcpy'ing a RetainPtr
is not a good idea as it doesn't bump the ref count.
Also protect and friend the CFGAS_GEFont destructor, to make sure
random deletes don't happen.
Also kill off a const cast, and remove unnecessary conversion to
retain_ptr when we already have one.
TEST=look for absence of -11 in XFA corpus test logs, bots not
currently noticing the segv. Argh.
Review-Url: https://codereview.chromium.org/2631703003
Diffstat (limited to 'xfa/fxfa/app/cxfa_textlayout.h')
| -rw-r--r-- | xfa/fxfa/app/cxfa_textlayout.h | 11 |
1 files changed, 7 insertions, 4 deletions
diff --git a/xfa/fxfa/app/cxfa_textlayout.h b/xfa/fxfa/app/cxfa_textlayout.h index 8575071faa..4de53d1eb0 100644 --- a/xfa/fxfa/app/cxfa_textlayout.h +++ b/xfa/fxfa/app/cxfa_textlayout.h @@ -8,6 +8,7 @@ #define XFA_FXFA_APP_CXFA_TEXTLAYOUT_H_ #include <memory> +#include <vector> #include "core/fxcrt/fx_basic.h" #include "core/fxcrt/fx_coordinates.h" @@ -52,9 +53,11 @@ class CXFA_TextLayout { const CFX_Matrix& tmDoc2Device, const CFX_RectF& rtClip, int32_t iBlock = 0); - bool IsLoaded() const { return m_pieceLines.GetSize() > 0; } + bool IsLoaded() const { return !m_pieceLines.empty(); } void Unload(); - const CFX_ArrayTemplate<CXFA_PieceLine*>* GetPieceLines(); + const std::vector<std::unique_ptr<CXFA_PieceLine>>* GetPieceLines() const { + return &m_pieceLines; + } bool m_bHasBlock; CFX_Int32Array m_Blocks; @@ -112,7 +115,7 @@ class CXFA_TextLayout { int32_t GetDisplayPos(const XFA_TextPiece* pPiece, FXTEXT_CHARPOS* pCharPos, bool bCharCode = false); - bool ToRun(const XFA_TextPiece* pPiece, FX_RTFTEXTOBJ& tr); + bool ToRun(const XFA_TextPiece* pPiece, FX_RTFTEXTOBJ* tr); void DoTabstops(CFDE_CSSComputedStyle* pStyle, CXFA_PieceLine* pPieceLine); bool Layout(int32_t iBlock); int32_t CountBlocks() const; @@ -125,7 +128,7 @@ class CXFA_TextLayout { int32_t m_iLines; FX_FLOAT m_fMaxWidth; CXFA_TextParser m_textParser; - CFX_ArrayTemplate<CXFA_PieceLine*> m_pieceLines; + std::vector<std::unique_ptr<CXFA_PieceLine>> m_pieceLines; std::unique_ptr<CXFA_TextTabstopsContext> m_pTabstopContext; bool m_bBlockContinue; }; |