From fd12ec5584d9a17f310a2c0c408a438ef3b1ce63 Mon Sep 17 00:00:00 2001
From: Lei Zhang <thestig@chromium.org>
Date: Mon, 5 Oct 2015 10:16:20 -0700
Subject: Disable JBIG2 cache; prevent data corruption - try 2.

Also change CJBig2_SymbolDict::DeepCopy() to return a unique_ptr to
prevent a potential leak if the cache size was 0.

BUG=pdfium:207
R=tsepez@chromium.org, jbreiden@google.com

Review URL: https://codereview.chromium.org/1374633004 .
---
 core/src/fxcodec/jbig2/JBig2_Context.cpp    | 13 ++++++++++---
 core/src/fxcodec/jbig2/JBig2_SymbolDict.cpp | 16 +++++++++-------
 core/src/fxcodec/jbig2/JBig2_SymbolDict.h   | 15 +++++++++------
 3 files changed, 28 insertions(+), 16 deletions(-)

diff --git a/core/src/fxcodec/jbig2/JBig2_Context.cpp b/core/src/fxcodec/jbig2/JBig2_Context.cpp
index f2c44b726a..ca895e5b9c 100644
--- a/core/src/fxcodec/jbig2/JBig2_Context.cpp
+++ b/core/src/fxcodec/jbig2/JBig2_Context.cpp
@@ -25,7 +25,10 @@
 //
 // Disabled until we can figure out how to clear cache between documents.
 // https://code.google.com/p/pdfium/issues/detail?id=207
+#define DISABLE_SYMBOL_CACHE
+#ifndef DISABLE_SYMBOL_CACHE
 static const int kSymbolDictCacheMaxSize = 2;
+#endif
 
 CJBig2_Context* CJBig2_Context::CreateContext(
     const uint8_t* pGlobalData,
@@ -623,7 +626,8 @@ int32_t CJBig2_Context::parseSymbolDict(CJBig2_Segment* pSegment,
   for (std::list<CJBig2_CachePair>::iterator it = m_pSymbolDictCache->begin();
        it != m_pSymbolDictCache->end(); ++it) {
     if (it->first == key) {
-      pSegment->m_Result.sd = it->second->DeepCopy();
+      nonstd::unique_ptr<CJBig2_SymbolDict> copy(it->second->DeepCopy());
+      pSegment->m_Result.sd = copy.release();
       m_pSymbolDictCache->push_front(*it);
       m_pSymbolDictCache->erase(it);
       cache_hit = true;
@@ -651,14 +655,17 @@ int32_t CJBig2_Context::parseSymbolDict(CJBig2_Segment* pSegment,
       }
       m_pStream->alignByte();
     }
-    CJBig2_SymbolDict* value = pSegment->m_Result.sd->DeepCopy();
+#ifndef DISABLE_SYMBOL_CACHE
+    nonstd::unique_ptr<CJBig2_SymbolDict> value =
+        pSegment->m_Result.sd->DeepCopy();
     if (value && kSymbolDictCacheMaxSize > 0) {
       while (m_pSymbolDictCache->size() >= kSymbolDictCacheMaxSize) {
         delete m_pSymbolDictCache->back().second;
         m_pSymbolDictCache->pop_back();
       }
-      m_pSymbolDictCache->push_front(CJBig2_CachePair(key, value));
+      m_pSymbolDictCache->push_front(CJBig2_CachePair(key, value.release()));
     }
+#endif
   }
   if (wFlags & 0x0200) {
     pSegment->m_Result.sd->m_bContextRetained = TRUE;
diff --git a/core/src/fxcodec/jbig2/JBig2_SymbolDict.cpp b/core/src/fxcodec/jbig2/JBig2_SymbolDict.cpp
index ef02df1072..1ec56dfacc 100644
--- a/core/src/fxcodec/jbig2/JBig2_SymbolDict.cpp
+++ b/core/src/fxcodec/jbig2/JBig2_SymbolDict.cpp
@@ -7,6 +7,7 @@
 #include "JBig2_SymbolDict.h"
 
 #include "../../../include/fxcrt/fx_memory.h"
+#include "JBig2_Image.h"
 
 CJBig2_SymbolDict::CJBig2_SymbolDict() {
   SDNUMEXSYMS = 0;
@@ -15,15 +16,16 @@ CJBig2_SymbolDict::CJBig2_SymbolDict() {
   m_gbContext = m_grContext = NULL;
 }
 
-CJBig2_SymbolDict* CJBig2_SymbolDict::DeepCopy() {
-  CJBig2_SymbolDict* src = this;
-  if (src->m_bContextRetained || src->m_gbContext || src->m_grContext) {
-    return NULL;
-  }
-  CJBig2_SymbolDict* dst = new CJBig2_SymbolDict;
+nonstd::unique_ptr<CJBig2_SymbolDict> CJBig2_SymbolDict::DeepCopy() const {
+  nonstd::unique_ptr<CJBig2_SymbolDict> dst;
+  const CJBig2_SymbolDict* src = this;
+  if (src->m_bContextRetained || src->m_gbContext || src->m_grContext)
+    return dst;
+
+  dst.reset(new CJBig2_SymbolDict);
   dst->SDNUMEXSYMS = src->SDNUMEXSYMS;
   dst->SDEXSYMS = FX_Alloc(CJBig2_Image*, src->SDNUMEXSYMS);
-  for (FX_DWORD i = 0; i < src->SDNUMEXSYMS; i++) {
+  for (FX_DWORD i = 0; i < src->SDNUMEXSYMS; ++i) {
     if (src->SDEXSYMS[i]) {
       dst->SDEXSYMS[i] = new CJBig2_Image(*(src->SDEXSYMS[i]));
     } else {
diff --git a/core/src/fxcodec/jbig2/JBig2_SymbolDict.h b/core/src/fxcodec/jbig2/JBig2_SymbolDict.h
index 19d0f606a5..c8e39dc845 100644
--- a/core/src/fxcodec/jbig2/JBig2_SymbolDict.h
+++ b/core/src/fxcodec/jbig2/JBig2_SymbolDict.h
@@ -4,19 +4,22 @@
 
 // Original code copyright 2014 Foxit Software Inc. http://www.foxitsoftware.com
 
-#ifndef _JBIG2_SYMBOL_DICT_H_
-#define _JBIG2_SYMBOL_DICT_H_
+#ifndef CORE_SRC_FXCODEC_JBIG2_JBIG2_SYMBOLDICT_H_
+#define CORE_SRC_FXCODEC_JBIG2_JBIG2_SYMBOLDICT_H_
 
+#include "../../../../third_party/base/nonstd_unique_ptr.h"
+#include "../../../include/fxcrt/fx_basic.h"
 #include "JBig2_ArithDecoder.h"
-#include "JBig2_Define.h"
-#include "JBig2_Image.h"
+
+class CJBig2_Image;
 
 class CJBig2_SymbolDict {
  public:
   CJBig2_SymbolDict();
-  CJBig2_SymbolDict* DeepCopy();
   ~CJBig2_SymbolDict();
 
+  nonstd::unique_ptr<CJBig2_SymbolDict> DeepCopy() const;
+
  public:
   FX_DWORD SDNUMEXSYMS;
   CJBig2_Image** SDEXSYMS;
@@ -25,4 +28,4 @@ class CJBig2_SymbolDict {
   JBig2ArithCtx* m_grContext;
 };
 
-#endif
+#endif  // CORE_SRC_FXCODEC_JBIG2_JBIG2_SYMBOLDICT_H_
-- 
cgit v1.2.3