diff options
Diffstat (limited to 'core/fpdfapi/font/cpdf_type3char.cpp')
-rw-r--r-- | core/fpdfapi/font/cpdf_type3char.cpp | 19 |
1 files changed, 15 insertions, 4 deletions
diff --git a/core/fpdfapi/font/cpdf_type3char.cpp b/core/fpdfapi/font/cpdf_type3char.cpp index d9794c27d3..e11193fdaa 100644 --- a/core/fpdfapi/font/cpdf_type3char.cpp +++ b/core/fpdfapi/font/cpdf_type3char.cpp @@ -31,10 +31,21 @@ bool CPDF_Type3Char::LoadBitmap(CPDF_RenderContext* pContext) { return false; m_ImageMatrix = pPageObj->AsImage()->matrix(); - CFX_RetainPtr<CFX_DIBSource> pSource = - pPageObj->AsImage()->GetImage()->LoadDIBSource(); - if (pSource) - m_pBitmap = pSource->Clone(nullptr); + { + // |pSource| actually gets assigned a CPDF_DIBSource, which has pointers + // into objects owned by |m_pForm|. Make sure it is out of scope before + // clearing the form. + CFX_RetainPtr<CFX_DIBSource> pSource = + pPageObj->AsImage()->GetImage()->LoadDIBSource(); + + // Clone() is non-virtual, and can't be overloaded by CPDF_DIBSource to + // return a clone of the subclass as one would typically expect from a + // such a method. Instead, it only clones the CFX_DIBSource, none of whose + // members point to objects owned by the form. As a result, |m_pBitmap| + // may outlive |m_pForm|. + if (pSource) + m_pBitmap = pSource->Clone(nullptr); + } m_pForm.reset(); return true; } |