From fb9c11b49ee4fe6c18703d661dcaee498085c4c5 Mon Sep 17 00:00:00 2001
From: Tom Sepez <tsepez@chromium.org>
Date: Fri, 26 May 2017 11:25:06 -0700
Subject: Release unowned CS reference before maybe destroying owned one

Colorspaces need to be properly refcounted but in the mean time,
get rid of an obvious dangling pointer.

Bug: 726728
Change-Id: I6bd879b18f61f7f5defd2679ce896013eb218b9b
Reviewed-on: https://pdfium-review.googlesource.com/6072
Reviewed-by: Lei Zhang <thestig@chromium.org>
Commit-Queue: Tom Sepez <tsepez@chromium.org>
---
 core/fpdfapi/page/cpdf_shadingpattern.cpp | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/core/fpdfapi/page/cpdf_shadingpattern.cpp b/core/fpdfapi/page/cpdf_shadingpattern.cpp
index c21f51cb77..542c4051c5 100644
--- a/core/fpdfapi/page/cpdf_shadingpattern.cpp
+++ b/core/fpdfapi/page/cpdf_shadingpattern.cpp
@@ -45,11 +45,13 @@ CPDF_ShadingPattern::CPDF_ShadingPattern(CPDF_Document* pDoc,
 }
 
 CPDF_ShadingPattern::~CPDF_ShadingPattern() {
-  CPDF_ColorSpace* pCS = m_pCountedCS ? m_pCountedCS->get() : nullptr;
-  if (pCS) {
+  CPDF_ColorSpace* pCountedCS = m_pCountedCS ? m_pCountedCS->get() : nullptr;
+  if (pCountedCS) {
     auto* pPageData = document()->GetPageData();
-    if (pPageData)
-      pPageData->ReleaseColorSpace(pCS->GetArray());
+    if (pPageData) {
+      m_pCS.Release();  // Give up unowned reference first.
+      pPageData->ReleaseColorSpace(pCountedCS->GetArray());
+    }
   }
 }
 
-- 
cgit v1.2.3