From 783a7e048c677d26aaf3884304627bbe27cff546 Mon Sep 17 00:00:00 2001 From: tsepez Date: Tue, 17 Jan 2017 11:05:57 -0800 Subject: Avoid endless loop deleting CFGAS_GEFont. It's a ref-counted class, so if we're in the destructor, the ref count has hit zero. We can't make a new ref pointer to itself here, as it will re-invoke the destructor when it goes out of scope. This should have been an obvious anti-pattern in hindsight. The object in question can't be in the m_pFontManager, since the font manager retains a reference, and we wouldn't get to this destructor while that is present. So the cleanup isn't required. Fixing this revealed a free-delete mismatch in cxfa_textlayout.cpp. I also converted to use unique_ptrs in a few places near this issue. Fixing this revealed a UAF in CFGAS_GEFont, memcpy'ing a RetainPtr is not a good idea as it doesn't bump the ref count. Also protect and friend the CFGAS_GEFont destructor, to make sure random deletes don't happen. Also kill off a const cast, and remove unnecessary conversion to retain_ptr when we already have one. TEST=look for absence of -11 in XFA corpus test logs, bots not currently noticing the segv. Argh. Review-Url: https://codereview.chromium.org/2631703003 --- xfa/fgas/font/cfgas_gefont.h | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) (limited to 'xfa/fgas/font/cfgas_gefont.h') diff --git a/xfa/fgas/font/cfgas_gefont.h b/xfa/fgas/font/cfgas_gefont.h index de4f9639e0..6c9d890df4 100644 --- a/xfa/fgas/font/cfgas_gefont.h +++ b/xfa/fgas/font/cfgas_gefont.h @@ -24,6 +24,8 @@ class CXFA_PDFFontMgr; class CFGAS_GEFont : public CFX_Retainable { public: + template + friend class CFX_RetainPtr; template friend CFX_RetainPtr pdfium::MakeRetain(Args&&... args); @@ -46,8 +48,6 @@ class CFGAS_GEFont : public CFX_Retainable { bool bSaveStream); #endif - ~CFGAS_GEFont() override; - CFX_RetainPtr Derive(uint32_t dwFontStyles, uint16_t wCodePage = 0); uint32_t GetFontStyles() const; @@ -57,7 +57,7 @@ class CFGAS_GEFont : public CFX_Retainable { int32_t GetDescent() const; bool GetCharBBox(FX_WCHAR wUnicode, CFX_Rect* bbox, bool bCharCode = false); bool GetBBox(CFX_Rect* bbox); - CFX_RetainPtr GetSubstFont(int32_t iGlyphIndex) const; + CFX_RetainPtr GetSubstFont(int32_t iGlyphIndex); CFX_Font* GetDevFont() const { return m_pFont; } void SetFontProvider(CXFA_PDFFontMgr* pProvider) { m_pProvider = pProvider; } #if _FXM_PLATFORM_ != _FXM_PLATFORM_WINDOWS_ @@ -70,6 +70,7 @@ class CFGAS_GEFont : public CFX_Retainable { private: explicit CFGAS_GEFont(CFGAS_FontMgr* pFontMgr); CFGAS_GEFont(const CFX_RetainPtr& src, uint32_t dwFontStyles); + ~CFGAS_GEFont() override; #if _FXM_PLATFORM_ == _FXM_PLATFORM_WINDOWS_ bool LoadFontInternal(const FX_WCHAR* pszFontFamily, -- cgit v1.2.3