From 1b1dd8a6907f4631044b1c03698170853af594a9 Mon Sep 17 00:00:00 2001
From: Lei Zhang <thestig@chromium.org>
Date: Mon, 5 Oct 2015 17:09:11 -0700
Subject: Merge to XFA: Disable JBIG2 cache; prevent data corruption - try 2.

Also change CJBig2_SymbolDict::DeepCopy() to return a unique_ptr to
prevent a potential leak if the cache size was 0.

BUG=pdfium:207
R=tsepez@chromium.org, jbreiden@google.com

Review URL: https://codereview.chromium.org/1374633004 .

(cherry picked from commit fd12ec5584d9a17f310a2c0c408a438ef3b1ce63)

Review URL: https://codereview.chromium.org/1390673002 .
---
 core/src/fxcodec/jbig2/JBig2_Context.cpp | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

(limited to 'core/src/fxcodec/jbig2/JBig2_Context.cpp')

diff --git a/core/src/fxcodec/jbig2/JBig2_Context.cpp b/core/src/fxcodec/jbig2/JBig2_Context.cpp
index f2c44b726a..ca895e5b9c 100644
--- a/core/src/fxcodec/jbig2/JBig2_Context.cpp
+++ b/core/src/fxcodec/jbig2/JBig2_Context.cpp
@@ -25,7 +25,10 @@
 //
 // Disabled until we can figure out how to clear cache between documents.
 // https://code.google.com/p/pdfium/issues/detail?id=207
+#define DISABLE_SYMBOL_CACHE
+#ifndef DISABLE_SYMBOL_CACHE
 static const int kSymbolDictCacheMaxSize = 2;
+#endif
 
 CJBig2_Context* CJBig2_Context::CreateContext(
     const uint8_t* pGlobalData,
@@ -623,7 +626,8 @@ int32_t CJBig2_Context::parseSymbolDict(CJBig2_Segment* pSegment,
   for (std::list<CJBig2_CachePair>::iterator it = m_pSymbolDictCache->begin();
        it != m_pSymbolDictCache->end(); ++it) {
     if (it->first == key) {
-      pSegment->m_Result.sd = it->second->DeepCopy();
+      nonstd::unique_ptr<CJBig2_SymbolDict> copy(it->second->DeepCopy());
+      pSegment->m_Result.sd = copy.release();
       m_pSymbolDictCache->push_front(*it);
       m_pSymbolDictCache->erase(it);
       cache_hit = true;
@@ -651,14 +655,17 @@ int32_t CJBig2_Context::parseSymbolDict(CJBig2_Segment* pSegment,
       }
       m_pStream->alignByte();
     }
-    CJBig2_SymbolDict* value = pSegment->m_Result.sd->DeepCopy();
+#ifndef DISABLE_SYMBOL_CACHE
+    nonstd::unique_ptr<CJBig2_SymbolDict> value =
+        pSegment->m_Result.sd->DeepCopy();
     if (value && kSymbolDictCacheMaxSize > 0) {
       while (m_pSymbolDictCache->size() >= kSymbolDictCacheMaxSize) {
         delete m_pSymbolDictCache->back().second;
         m_pSymbolDictCache->pop_back();
       }
-      m_pSymbolDictCache->push_front(CJBig2_CachePair(key, value));
+      m_pSymbolDictCache->push_front(CJBig2_CachePair(key, value.release()));
     }
+#endif
   }
   if (wFlags & 0x0200) {
     pSegment->m_Result.sd->m_bContextRetained = TRUE;
-- 
cgit v1.2.3