From 1b9c5c4dc41956b8c5ab17b9a882adf8a2513768 Mon Sep 17 00:00:00 2001 From: Jun Fang Date: Tue, 5 Aug 2014 02:38:22 -0700 Subject: The root cause of this issue is shown as below: Patterns are managed in CPDF_DocPageData. When a document is closed, all patterns will be released in the deconstruction of CPDF_DocPageData. However, some patterns which are referenced in CPDF_Color can't get the notification from the destroy of CPDF_DocPageData. It will cause use-after-free in CPDF_Color::~CPDF_Color. BUG=392719 R=tsepez@chromium.org Review URL: https://codereview.chromium.org/439693002 --- core/include/fpdfapi/fpdf_resource.h | 26 +++++++++++------------- core/src/fpdfapi/fpdf_page/fpdf_page_colors.cpp | 4 ++++ core/src/fpdfapi/fpdf_page/fpdf_page_pattern.cpp | 17 ++++++++++++++++ 3 files changed, 33 insertions(+), 14 deletions(-) diff --git a/core/include/fpdfapi/fpdf_resource.h b/core/include/fpdfapi/fpdf_resource.h index 7e9e412325..4ce4ddc8bb 100644 --- a/core/include/fpdfapi/fpdf_resource.h +++ b/core/include/fpdfapi/fpdf_resource.h @@ -730,27 +730,25 @@ protected: class CPDF_Pattern : public CFX_Object { public: + + virtual ~CPDF_Pattern(); + void SaveColor(CPDF_Color* pColor) {m_pColor = pColor;} - virtual ~CPDF_Pattern() {} + CPDF_Object* m_pPatternObj; - CPDF_Object* m_pPatternObj; + int m_PatternType; - int m_PatternType; + CFX_AffineMatrix m_Pattern2Form; + CFX_AffineMatrix m_ParentMatrix; - CFX_AffineMatrix m_Pattern2Form; - CFX_AffineMatrix m_ParentMatrix; - - CPDF_Document* m_pDocument; + CPDF_Document* m_pDocument; + CPDF_Color* m_pColor; protected: - - CPDF_Pattern(const CFX_AffineMatrix* pParentMatrix) - { - if (pParentMatrix) { - m_ParentMatrix = *pParentMatrix; - } - } + + CPDF_Pattern(const CFX_AffineMatrix* pParentMatrix); }; + class CPDF_TilingPattern : public CPDF_Pattern { public: diff --git a/core/src/fpdfapi/fpdf_page/fpdf_page_colors.cpp b/core/src/fpdfapi/fpdf_page/fpdf_page_colors.cpp index 1b7cb03ee2..8cd26fee37 100644 --- a/core/src/fpdfapi/fpdf_page/fpdf_page_colors.cpp +++ b/core/src/fpdfapi/fpdf_page/fpdf_page_colors.cpp @@ -1269,6 +1269,7 @@ void CPDF_Color::ReleaseBuffer() PatternValue* pvalue = (PatternValue*)m_pBuffer; CPDF_Pattern* pPattern = pvalue->m_pPattern; if (pPattern && pPattern->m_pDocument) { + pPattern->SaveColor(NULL); pPattern->m_pDocument->GetPageData()->ReleasePattern(pPattern->m_pPatternObj); } } @@ -1329,6 +1330,9 @@ void CPDF_Color::SetValue(CPDF_Pattern* pPattern, FX_FLOAT* comps, int ncomps) } pvalue->m_nComps = ncomps; pvalue->m_pPattern = pPattern; + if (pPattern) { + pPattern->SaveColor(this); + } if (ncomps) { FXSYS_memcpy32(pvalue->m_Comps, comps, ncomps * sizeof(FX_FLOAT)); } diff --git a/core/src/fpdfapi/fpdf_page/fpdf_page_pattern.cpp b/core/src/fpdfapi/fpdf_page/fpdf_page_pattern.cpp index 8cb6dc77dc..c7c1e7a565 100644 --- a/core/src/fpdfapi/fpdf_page/fpdf_page_pattern.cpp +++ b/core/src/fpdfapi/fpdf_page/fpdf_page_pattern.cpp @@ -6,6 +6,22 @@ #include "../../../include/fpdfapi/fpdf_page.h" #include "pageint.h" + +CPDF_Pattern::CPDF_Pattern(const CFX_AffineMatrix* pParentMatrix) : + m_pPatternObj(NULL), m_PatternType(PATTERN_TILING), m_pDocument(NULL), m_pColor(NULL) +{ + if (pParentMatrix) { + m_ParentMatrix = *pParentMatrix; + } +} + +CPDF_Pattern::~CPDF_Pattern() +{ + if (m_pColor) { + m_pColor->SetValue(NULL, NULL, 0); + m_pColor = NULL; + } +} CPDF_TilingPattern::CPDF_TilingPattern(CPDF_Document* pDoc, CPDF_Object* pPatternObj, const CFX_AffineMatrix* parentMatrix) : CPDF_Pattern(parentMatrix) { @@ -25,6 +41,7 @@ CPDF_TilingPattern::~CPDF_TilingPattern() { if (m_pForm) { delete m_pForm; + m_pForm = NULL; } } FX_BOOL CPDF_TilingPattern::Load() -- cgit v1.2.3