From 783a7e048c677d26aaf3884304627bbe27cff546 Mon Sep 17 00:00:00 2001 From: tsepez Date: Tue, 17 Jan 2017 11:05:57 -0800 Subject: Avoid endless loop deleting CFGAS_GEFont. It's a ref-counted class, so if we're in the destructor, the ref count has hit zero. We can't make a new ref pointer to itself here, as it will re-invoke the destructor when it goes out of scope. This should have been an obvious anti-pattern in hindsight. The object in question can't be in the m_pFontManager, since the font manager retains a reference, and we wouldn't get to this destructor while that is present. So the cleanup isn't required. Fixing this revealed a free-delete mismatch in cxfa_textlayout.cpp. I also converted to use unique_ptrs in a few places near this issue. Fixing this revealed a UAF in CFGAS_GEFont, memcpy'ing a RetainPtr is not a good idea as it doesn't bump the ref count. Also protect and friend the CFGAS_GEFont destructor, to make sure random deletes don't happen. Also kill off a const cast, and remove unnecessary conversion to retain_ptr when we already have one. TEST=look for absence of -11 in XFA corpus test logs, bots not currently noticing the segv. Argh. Review-Url: https://codereview.chromium.org/2631703003 --- xfa/fgas/font/cfgas_gefont.cpp | 11 +++-------- 1 file changed, 3 insertions(+), 8 deletions(-) (limited to 'xfa/fgas/font/cfgas_gefont.cpp') diff --git a/xfa/fgas/font/cfgas_gefont.cpp b/xfa/fgas/font/cfgas_gefont.cpp index 49639c2005..d0e7f13c3a 100644 --- a/xfa/fgas/font/cfgas_gefont.cpp +++ b/xfa/fgas/font/cfgas_gefont.cpp @@ -27,8 +27,7 @@ CFX_RetainPtr CFGAS_GEFont::LoadFont( if (!pFontMgr) return nullptr; - return CFX_RetainPtr( - pFontMgr->GetFontByCodePage(wCodePage, dwFontStyles, pszFontFamily)); + return pFontMgr->GetFontByCodePage(wCodePage, dwFontStyles, pszFontFamily); #else auto pFont = pdfium::MakeRetain(pFontMgr); if (!pFont->LoadFontInternal(pszFontFamily, dwFontStyles, wCodePage)) @@ -119,9 +118,6 @@ CFGAS_GEFont::CFGAS_GEFont(const CFX_RetainPtr& src, } CFGAS_GEFont::~CFGAS_GEFont() { - if (m_pFontMgr) - m_pFontMgr->RemoveFont(CFX_RetainPtr(this)); - if (!m_bExternalFont) delete m_pFont; } @@ -429,10 +425,9 @@ int32_t CFGAS_GEFont::GetDescent() const { return m_pFont->GetDescent(); } -CFX_RetainPtr CFGAS_GEFont::GetSubstFont( - int32_t iGlyphIndex) const { +CFX_RetainPtr CFGAS_GEFont::GetSubstFont(int32_t iGlyphIndex) { iGlyphIndex = static_cast(iGlyphIndex) >> 24; if (iGlyphIndex == 0) - return CFX_RetainPtr(const_cast(this)); + return CFX_RetainPtr(this); return m_SubstFonts[iGlyphIndex - 1]; } -- cgit v1.2.3