From 3115624972b15136e2b01da4929af4071d4d0bda Mon Sep 17 00:00:00 2001 From: Jun Fang Date: Thu, 7 Jan 2016 15:10:43 +0800 Subject: Fix writing to read-only region in CXFA_TextParser::GetHorScale(). The reference count didn't increase when a computed style object was referred. BUG=pdfium:281 R=tsepez@chromium.org Review URL: https://codereview.chromium.org/1527263002 . --- xfa/src/fxfa/src/app/xfa_textlayout.cpp | 15 +++++++-------- xfa/src/fxfa/src/app/xfa_textlayout.h | 6 +++++- 2 files changed, 12 insertions(+), 9 deletions(-) diff --git a/xfa/src/fxfa/src/app/xfa_textlayout.cpp b/xfa/src/fxfa/src/app/xfa_textlayout.cpp index efdc116106..e620924441 100644 --- a/xfa/src/fxfa/src/app/xfa_textlayout.cpp +++ b/xfa/src/fxfa/src/app/xfa_textlayout.cpp @@ -215,17 +215,16 @@ IFDE_CSSComputedStyle* CXFA_TextParser::CreateStyle( IFDE_CSSComputedStyle* CXFA_TextParser::ComputeStyle( IFDE_XMLNode* pXMLNode, IFDE_CSSComputedStyle* pParentStyle) { - CXFA_TextParseContext* pContext = - (CXFA_TextParseContext*)m_mapXMLNodeToParseContext.GetValueAt(pXMLNode); - if (pContext == NULL) { - return NULL; - } + CXFA_TextParseContext* pContext = static_cast( + m_mapXMLNodeToParseContext.GetValueAt(pXMLNode)); + if (!pContext) + return nullptr; pContext->m_pParentStyle = pParentStyle; + pParentStyle->AddRef(); CXFA_CSSTagProvider tagProvider; ParseTagInfo(pXMLNode, tagProvider); - if (tagProvider.m_bContent) { - return NULL; - } + if (tagProvider.m_bContent) + return nullptr; IFDE_CSSComputedStyle* pStyle = CreateStyle(pParentStyle); IFDE_CSSAccelerator* pCSSAccel = m_pSelector->InitAccelerator(); pCSSAccel->OnEnterTag(&tagProvider); diff --git a/xfa/src/fxfa/src/app/xfa_textlayout.h b/xfa/src/fxfa/src/app/xfa_textlayout.h index cbd315993c..b47b37359a 100644 --- a/xfa/src/fxfa/src/app/xfa_textlayout.h +++ b/xfa/src/fxfa/src/app/xfa_textlayout.h @@ -49,7 +49,11 @@ class CXFA_TextParseContext : public CFX_Target { m_ppMatchedDecls(nullptr), m_dwMatchedDecls(0), m_eDisplay(FDE_CSSDISPLAY_None) {} - ~CXFA_TextParseContext() { FX_Free(m_ppMatchedDecls); } + ~CXFA_TextParseContext() { + if (m_pParentStyle) + m_pParentStyle->Release(); + FX_Free(m_ppMatchedDecls); + } void SetDisplay(FDE_CSSDISPLAY eDisplay) { m_eDisplay = eDisplay; } FDE_CSSDISPLAY GetDisplay() const { return m_eDisplay; } void SetDecls(const IFDE_CSSDeclaration** ppDeclArray, int32_t iDeclCount); -- cgit v1.2.3