From d5624a47bcaad45f6fcb30ad03b6e474f5cee17e Mon Sep 17 00:00:00 2001
From: Ke Liu <stackexploit@gmail.com>
Date: Mon, 16 Apr 2018 05:19:07 +0000
Subject: Fix UAF in CFGAS_FontMgr::FindFont

Fix an use-after-free issue which was introduced by
commit 53279b1dcabae4913f7f0a58e741942e82ab7d59.

Bug: chromium:832589
Change-Id: Id7da791c3aa2d71d0a9e56d062069f41b7eb48d1
Reviewed-on: https://pdfium-review.googlesource.com/30570
Commit-Queue: Lei Zhang <thestig@chromium.org>
Reviewed-by: Lei Zhang <thestig@chromium.org>
---
 xfa/fgas/font/cfgas_fontmgr.cpp | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

(limited to 'xfa/fgas/font/cfgas_fontmgr.cpp')

diff --git a/xfa/fgas/font/cfgas_fontmgr.cpp b/xfa/fgas/font/cfgas_fontmgr.cpp
index b4e6bdc912..d7acc62eef 100644
--- a/xfa/fgas/font/cfgas_fontmgr.cpp
+++ b/xfa/fgas/font/cfgas_fontmgr.cpp
@@ -229,8 +229,12 @@ const FX_FONTDESCRIPTOR* CFGAS_FontMgr::FindFont(const wchar_t* pszFontFamily,
   if (!pszFontFamily)
     return nullptr;
 
+  // Use a named object to store the returned value of EnumGdiFonts() instead
+  // of using a temporary object. This can prevent use-after-free issues since
+  // pDesc may point to one of std::deque object's elements.
+  std::deque<FX_FONTDESCRIPTOR> namedFonts = EnumGdiFonts(pszFontFamily, wUnicode);
   params.pwsFamily = nullptr;
-  pDesc = MatchDefaultFont(&params, EnumGdiFonts(pszFontFamily, wUnicode));
+  pDesc = MatchDefaultFont(&params, namedFonts);
   if (!pDesc)
     return nullptr;
 
-- 
cgit v1.2.3