From a9d56105a725d223f87bd979ffbf61a8a2377c08 Mon Sep 17 00:00:00 2001 From: Tom Sepez Date: Fri, 17 Aug 2018 23:09:43 +0000 Subject: Use more UnownedPtr<> in cpdf_renderstatus.h. This immediately flags a case where a pointer from a heap object to a caller's stack object is persisted past the caller's lifetime. Fix it the simplest way via AutoRestorer<> so we'll get a nice safe segv should it be used. Change-Id: I554304b235e73c279fa0cd79c9e3ee0138be45f9 Reviewed-on: https://pdfium-review.googlesource.com/40592 Reviewed-by: Lei Zhang Commit-Queue: Tom Sepez --- core/fpdfapi/render/cpdf_renderstatus.cpp | 16 +++++++++------- core/fpdfapi/render/cpdf_renderstatus.h | 4 ++-- 2 files changed, 11 insertions(+), 9 deletions(-) (limited to 'core/fpdfapi') diff --git a/core/fpdfapi/render/cpdf_renderstatus.cpp b/core/fpdfapi/render/cpdf_renderstatus.cpp index 5e554623df..2cbe495ce4 100644 --- a/core/fpdfapi/render/cpdf_renderstatus.cpp +++ b/core/fpdfapi/render/cpdf_renderstatus.cpp @@ -1228,7 +1228,7 @@ bool CPDF_RenderStatus::ProcessForm(const CPDF_FormObject* pFormObj, pFormDict ? pFormDict->GetDictFor("Resources") : nullptr; CPDF_RenderStatus status(m_pContext.Get(), m_pDevice); status.SetOptions(m_Options); - status.SetStopObject(m_pStopObj); + status.SetStopObject(m_pStopObj.Get()); status.SetTransparency(m_Transparency); status.SetDropObjects(m_bDropObjects); status.SetFormResource(pResources); @@ -1568,7 +1568,7 @@ bool CPDF_RenderStatus::ProcessTransparency(CPDF_PageObject* pPageObj, } CPDF_RenderStatus bitmap_render(m_pContext.Get(), &bitmap_device); bitmap_render.SetOptions(m_Options); - bitmap_render.SetStopObject(m_pStopObj); + bitmap_render.SetStopObject(m_pStopObj.Get()); bitmap_render.SetStdCS(true); bitmap_render.SetDropObjects(m_bDropObjects); bitmap_render.SetFormResource(pFormResource); @@ -1983,6 +1983,8 @@ void CPDF_RenderStatus::DrawTextPathWithPattern(const CPDF_TextObject* textobj, path.m_Bottom = textobj->m_Bottom; path.m_Right = textobj->m_Right; path.m_Top = textobj->m_Top; + + AutoRestorer> restorer2(&m_pCurObj); RenderSingleObject(&path, pObj2Device); return; } @@ -2058,8 +2060,8 @@ void CPDF_RenderStatus::DrawShading(const CPDF_ShadingPattern* pPattern, return; } CPDF_DeviceBuffer buffer; - buffer.Initialize(m_pContext.Get(), m_pDevice, clip_rect_bbox, m_pCurObj, - 150); + buffer.Initialize(m_pContext.Get(), m_pDevice, clip_rect_bbox, + m_pCurObj.Get(), 150); CFX_Matrix FinalMatrix = *pMatrix; FinalMatrix.Concat(*buffer.GetMatrix()); RetainPtr pBitmap = buffer.GetBitmap(); @@ -2479,9 +2481,9 @@ void CPDF_RenderStatus::CompositeDIBitmap( int back_top; FX_RECT rect(left, top, left + pDIBitmap->GetWidth(), top + pDIBitmap->GetHeight()); - RetainPtr pBackdrop = - GetBackdrop(m_pCurObj, rect, blend_mode > FXDIB_BLEND_NORMAL && bIsolated, - &back_left, &back_top); + RetainPtr pBackdrop = GetBackdrop( + m_pCurObj.Get(), rect, blend_mode > FXDIB_BLEND_NORMAL && bIsolated, + &back_left, &back_top); if (!pBackdrop) return; diff --git a/core/fpdfapi/render/cpdf_renderstatus.h b/core/fpdfapi/render/cpdf_renderstatus.h index a7e845f237..f6d58843c0 100644 --- a/core/fpdfapi/render/cpdf_renderstatus.h +++ b/core/fpdfapi/render/cpdf_renderstatus.h @@ -188,8 +188,8 @@ class CPDF_RenderStatus { CFX_RenderDevice* const m_pDevice; CFX_Matrix m_DeviceMatrix; CPDF_ClipPath m_LastClipPath; - const CPDF_PageObject* m_pCurObj = nullptr; - const CPDF_PageObject* m_pStopObj = nullptr; + UnownedPtr m_pCurObj; + UnownedPtr m_pStopObj; CPDF_GraphicStates m_InitialStates; std::unique_ptr m_pImageRenderer; CPDF_Transparency m_Transparency; -- cgit v1.2.3