2 files changed, 17 insertions, 5 deletions

diff --git a/core/fpdfapi/font/cpdf_cidfont.h b/core/fpdfapi/font/cpdf_cidfont.h
index 0fd5e63f1c..07982a418f 100644
--- a/core/fpdfapi/font/cpdf_cidfont.h
+++ b/core/fpdfapi/font/cpdf_cidfont.h
@@ -12,6 +12,7 @@
 
 #include "core/fpdfapi/font/cpdf_font.h"
 #include "core/fxcrt/cfx_retain_ptr.h"
+#include "core/fxcrt/cfx_unowned_ptr.h"
 #include "core/fxcrt/fx_string.h"
 #include "core/fxcrt/fx_system.h"
 
@@ -73,7 +74,7 @@ class CPDF_CIDFont : public CPDF_Font {
   wchar_t GetUnicodeFromCharCode(uint32_t charcode) const;
 
   CFX_RetainPtr<CPDF_CMap> m_pCMap;
-  CPDF_CID2UnicodeMap* m_pCID2UnicodeMap;
+  CFX_UnownedPtr<CPDF_CID2UnicodeMap> m_pCID2UnicodeMap;
   CIDSet m_Charset;
   bool m_bType1;
   bool m_bCIDIsGID;
diff --git a/core/fpdfapi/font/cpdf_type3char.cpp b/core/fpdfapi/font/cpdf_type3char.cpp
index d9794c27d3..e11193fdaa 100644
--- a/core/fpdfapi/font/cpdf_type3char.cpp
+++ b/core/fpdfapi/font/cpdf_type3char.cpp
@@ -31,10 +31,21 @@ bool CPDF_Type3Char::LoadBitmap(CPDF_RenderContext* pContext) {
     return false;
 
   m_ImageMatrix = pPageObj->AsImage()->matrix();
-  CFX_RetainPtr<CFX_DIBSource> pSource =
-      pPageObj->AsImage()->GetImage()->LoadDIBSource();
-  if (pSource)
-    m_pBitmap = pSource->Clone(nullptr);
+  {
+    // |pSource| actually gets assigned a CPDF_DIBSource, which has pointers
+    // into objects owned by |m_pForm|. Make sure it is out of scope before
+    // clearing the form.
+    CFX_RetainPtr<CFX_DIBSource> pSource =
+        pPageObj->AsImage()->GetImage()->LoadDIBSource();
+
+    // Clone() is non-virtual, and can't be overloaded by CPDF_DIBSource to
+    // return a clone of the subclass as one would typically expect from a
+    // such a method. Instead, it only clones the CFX_DIBSource, none of whose
+    // members point to objects owned by the form. As a result, |m_pBitmap|
+    // may outlive |m_pForm|.
+    if (pSource)
+      m_pBitmap = pSource->Clone(nullptr);
+  }
   m_pForm.reset();
   return true;
 }