[XFA] Force destruction order of font managers.chromium/2838

The GEFont points to the font manager which creates it and tries to unregister
itself. Currently the GEFont can be created by the default mapper and then
stored in a different mapper. If the default mapper is destroyed first, when
the second mapper cleans up the font there will be a call to unregister on
the default mapper causing a use-after-free.

The long term fix is to fixup the GEFont so it points to the correct mapper
to unregister from. This CL forces the destruction order in CXFA_FFApp to
cleanup the non-default mapper first.

BUG=chromium:637546

Review-Url: https://codereview.chromium.org/2259823004

1 files changed, 4 insertions, 6 deletions

diff --git a/xfa/fxfa/app/xfa_fontmgr.cpp b/xfa/fxfa/app/xfa_fontmgr.cpp
index 5bb4ccb816..d191ce3537 100644
--- a/xfa/fxfa/app/xfa_fontmgr.cpp
+++ b/xfa/fxfa/app/xfa_fontmgr.cpp
@@ -1775,18 +1775,17 @@ CFGAS_GEFont* CXFA_DefFontMgr::GetFont(CXFA_FFDoc* hDoc,
         CFX_WideString wsReplace =
             CFX_WideString(pReplace, pNameText - pReplace);
         pFont = pFDEFontMgr->LoadFont(wsReplace.c_str(), dwStyle, wCodePage);
-        if (pFont) {
+        if (pFont)
           break;
-        }
+
         iLength--;
         pNameText++;
         pReplace = pNameText;
       }
     }
   }
-  if (pFont) {
+  if (pFont)
     m_CacheFonts.Add(pFont);
-  }
   return pFont;
 }
 
@@ -1804,9 +1803,8 @@ CFGAS_GEFont* CXFA_DefFontMgr::GetDefaultFont(
   }
 
   ASSERT(pFont);
-  if (pFont) {
+  if (pFont)
     m_CacheFonts.Add(pFont);
-  }
   return pFont;
 }
 struct XFA_PDFFONTNAME {