From 8d8d3bc54593d2d86054d59669b86a959ec0b602 Mon Sep 17 00:00:00 2001
From: Tom Sepez <tsepez@chromium.org>
Date: Wed, 10 Oct 2018 17:53:50 +0000
Subject: Fix dangling reference in CFX_CodecMemory.

Do this by making CFX_CodecMemory actually own the memory that
it is ref-counting. Remove some test cases that are now prohibited,
and relax one lifetime restriction in the test because we are now
doing one additional copy (in the test, but not in real life).

Bug:879512
Change-Id: If030dfcf97fe40155c46a42288fc73192437ce9c
Reviewed-on: https://pdfium-review.googlesource.com/c/43670
Commit-Queue: Tom Sepez <tsepez@chromium.org>
Reviewed-by: Lei Zhang <thestig@chromium.org>
---
 core/fxcodec/codec/cfx_codec_memory.h | 22 ++++++++++++++++------
 1 file changed, 16 insertions(+), 6 deletions(-)

(limited to 'core/fxcodec/codec/cfx_codec_memory.h')

diff --git a/core/fxcodec/codec/cfx_codec_memory.h b/core/fxcodec/codec/cfx_codec_memory.h
index 0d11d41de8..fa26e240ec 100644
--- a/core/fxcodec/codec/cfx_codec_memory.h
+++ b/core/fxcodec/codec/cfx_codec_memory.h
@@ -5,6 +5,9 @@
 #ifndef CORE_FXCODEC_CODEC_CFX_CODEC_MEMORY_H_
 #define CORE_FXCODEC_CODEC_CFX_CODEC_MEMORY_H_
 
+#include <memory>
+
+#include "core/fxcrt/fx_memory.h"
 #include "core/fxcrt/retain_ptr.h"
 #include "third_party/base/span.h"
 
@@ -13,21 +16,28 @@ class CFX_CodecMemory final : public Retainable {
   template <typename T, typename... Args>
   friend RetainPtr<T> pdfium::MakeRetain(Args&&... args);
 
-  pdfium::span<uint8_t> GetSpan() { return buffer_; }
-  uint8_t* GetBuffer() { return buffer_.data(); }
-  size_t GetSize() const { return buffer_.size(); }
+  pdfium::span<uint8_t> GetSpan() { return {buffer_.get(), size_}; }
+  uint8_t* GetBuffer() { return buffer_.get(); }
+  size_t GetSize() const { return size_; }
   size_t GetPosition() const { return pos_; }
-  bool IsEOF() const { return pos_ >= buffer_.size(); }
+  bool IsEOF() const { return pos_ >= size_; }
   size_t ReadBlock(void* buffer, size_t size);
 
   // Sets the cursor position to |pos| if possible.
   bool Seek(size_t pos);
 
+  // Try to change the size of the buffer, keep the old one on failure.
+  bool TryResize(size_t new_buffer_size);
+
+  // Schlep the bytes down the buffer.
+  void Consume(size_t consumed);
+
  private:
-  explicit CFX_CodecMemory(pdfium::span<uint8_t> buffer);
+  explicit CFX_CodecMemory(size_t buffer_size);
   ~CFX_CodecMemory() override;
 
-  pdfium::span<uint8_t> const buffer_;
+  std::unique_ptr<uint8_t, FxFreeDeleter> buffer_;
+  size_t size_ = 0;
   size_t pos_ = 0;
 };
 
-- 
cgit v1.2.3