summaryrefslogtreecommitdiff
path: root/core/fpdfapi/font
diff options
context:
space:
mode:
Diffstat (limited to 'core/fpdfapi/font')
-rw-r--r--core/fpdfapi/font/cpdf_cidfont.h3
-rw-r--r--core/fpdfapi/font/cpdf_type3char.cpp19
2 files changed, 17 insertions, 5 deletions
diff --git a/core/fpdfapi/font/cpdf_cidfont.h b/core/fpdfapi/font/cpdf_cidfont.h
index 0fd5e63f1c..07982a418f 100644
--- a/core/fpdfapi/font/cpdf_cidfont.h
+++ b/core/fpdfapi/font/cpdf_cidfont.h
@@ -12,6 +12,7 @@
#include "core/fpdfapi/font/cpdf_font.h"
#include "core/fxcrt/cfx_retain_ptr.h"
+#include "core/fxcrt/cfx_unowned_ptr.h"
#include "core/fxcrt/fx_string.h"
#include "core/fxcrt/fx_system.h"
@@ -73,7 +74,7 @@ class CPDF_CIDFont : public CPDF_Font {
wchar_t GetUnicodeFromCharCode(uint32_t charcode) const;
CFX_RetainPtr<CPDF_CMap> m_pCMap;
- CPDF_CID2UnicodeMap* m_pCID2UnicodeMap;
+ CFX_UnownedPtr<CPDF_CID2UnicodeMap> m_pCID2UnicodeMap;
CIDSet m_Charset;
bool m_bType1;
bool m_bCIDIsGID;
diff --git a/core/fpdfapi/font/cpdf_type3char.cpp b/core/fpdfapi/font/cpdf_type3char.cpp
index d9794c27d3..e11193fdaa 100644
--- a/core/fpdfapi/font/cpdf_type3char.cpp
+++ b/core/fpdfapi/font/cpdf_type3char.cpp
@@ -31,10 +31,21 @@ bool CPDF_Type3Char::LoadBitmap(CPDF_RenderContext* pContext) {
return false;
m_ImageMatrix = pPageObj->AsImage()->matrix();
- CFX_RetainPtr<CFX_DIBSource> pSource =
- pPageObj->AsImage()->GetImage()->LoadDIBSource();
- if (pSource)
- m_pBitmap = pSource->Clone(nullptr);
+ {
+ // |pSource| actually gets assigned a CPDF_DIBSource, which has pointers
+ // into objects owned by |m_pForm|. Make sure it is out of scope before
+ // clearing the form.
+ CFX_RetainPtr<CFX_DIBSource> pSource =
+ pPageObj->AsImage()->GetImage()->LoadDIBSource();
+
+ // Clone() is non-virtual, and can't be overloaded by CPDF_DIBSource to
+ // return a clone of the subclass as one would typically expect from a
+ // such a method. Instead, it only clones the CFX_DIBSource, none of whose
+ // members point to objects owned by the form. As a result, |m_pBitmap|
+ // may outlive |m_pForm|.
+ if (pSource)
+ m_pBitmap = pSource->Clone(nullptr);
+ }
m_pForm.reset();
return true;
}