From 2283daac0ec65185d952c6ce23282cfc0041d6bc Mon Sep 17 00:00:00 2001
From: Tom Sepez <tsepez@chromium.org>
Date: Thu, 30 Mar 2017 10:49:21 -0700
Subject: Protect against premature mask destruction in
 CFX_ClipRgn::IntersectRect

Assigning to m_Mask will invalidate the pMask argument if m_Mask itself
is passed into the method.

BUG=706346

Change-Id: Ieaac480eb9e857c3199fd539c23978fb7f372461
Reviewed-on: https://pdfium-review.googlesource.com/3376
Commit-Queue: dsinclair <dsinclair@chromium.org>
Reviewed-by: dsinclair <dsinclair@chromium.org>
---
 core/fxge/ge/cfx_cliprgn.cpp | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/core/fxge/ge/cfx_cliprgn.cpp b/core/fxge/ge/cfx_cliprgn.cpp
index 5193ce2944..037e658de9 100644
--- a/core/fxge/ge/cfx_cliprgn.cpp
+++ b/core/fxge/ge/cfx_cliprgn.cpp
@@ -50,13 +50,14 @@ void CFX_ClipRgn::IntersectMaskRect(FX_RECT rect,
     m_Mask = pMask;
     return;
   }
+  CFX_RetainPtr<CFX_DIBitmap> pOldMask(pMask);
   m_Mask = pdfium::MakeRetain<CFX_DIBitmap>();
   m_Mask->Create(m_Box.Width(), m_Box.Height(), FXDIB_8bppMask);
   for (int row = m_Box.top; row < m_Box.bottom; row++) {
     uint8_t* dest_scan =
         m_Mask->GetBuffer() + m_Mask->GetPitch() * (row - m_Box.top);
     uint8_t* src_scan =
-        pMask->GetBuffer() + pMask->GetPitch() * (row - mask_rect.top);
+        pOldMask->GetBuffer() + pOldMask->GetPitch() * (row - mask_rect.top);
     for (int col = m_Box.left; col < m_Box.right; col++)
       dest_scan[col - m_Box.left] = src_scan[col - mask_rect.left];
   }
-- 
cgit v1.2.3