From 837735660808d52580703183ae24a3c7c7b05c7d Mon Sep 17 00:00:00 2001
From: dsinclair <dsinclair@chromium.org>
Date: Tue, 23 Aug 2016 11:39:23 -0700
Subject: [XFA] Force destruction order of font managers.

The GEFont points to the font manager which creates it and tries to unregister
itself. Currently the GEFont can be created by the default mapper and then
stored in a different mapper. If the default mapper is destroyed first, when
the second mapper cleans up the font there will be a call to unregister on
the default mapper causing a use-after-free.

The long term fix is to fixup the GEFont so it points to the correct mapper
to unregister from. This CL forces the destruction order in CXFA_FFApp to
cleanup the non-default mapper first.

BUG=chromium:637546

Review-Url: https://codereview.chromium.org/2259823004
---
 xfa/fgas/font/fgas_stdfontmgr.h | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

(limited to 'xfa/fgas/font/fgas_stdfontmgr.h')

diff --git a/xfa/fgas/font/fgas_stdfontmgr.h b/xfa/fgas/font/fgas_stdfontmgr.h
index 65f260c54c..0506876b64 100644
--- a/xfa/fgas/font/fgas_stdfontmgr.h
+++ b/xfa/fgas/font/fgas_stdfontmgr.h
@@ -184,7 +184,6 @@ class CFGAS_FontMgrImp : public IFGAS_FontMgr {
 
  protected:
   void RegisterFace(FXFT_Face pFace,
-                    CFX_FontDescriptors& Fonts,
                     const CFX_WideString* pFaceName);
   void RegisterFaces(IFX_FileRead* pFontStream,
                      const CFX_WideString* pFaceName);
@@ -192,7 +191,6 @@ class CFGAS_FontMgrImp : public IFGAS_FontMgr {
   std::vector<uint16_t> GetCharsets(FXFT_Face pFace) const;
   void GetUSBCSB(FXFT_Face pFace, uint32_t* USB, uint32_t* CSB);
   uint32_t GetFlags(FXFT_Face pFace);
-  CFX_FontDescriptors m_InstalledFonts;
   FX_BOOL VerifyUnicode(CFX_FontDescriptor* pDesc, FX_WCHAR wcUnicode);
   FX_BOOL VerifyUnicode(CFGAS_GEFont* pFont, FX_WCHAR wcUnicode);
   int32_t IsPartName(const CFX_WideString& Name1, const CFX_WideString& Name2);
@@ -212,6 +210,7 @@ class CFGAS_FontMgrImp : public IFGAS_FontMgr {
                                  uint32_t index);
   IFX_FileRead* CreateFontStream(const CFX_ByteString& bsFaceName);
 
+  CFX_FontDescriptors m_InstalledFonts;
   CFX_MapPtrTemplate<uint32_t, CFX_FontDescriptorInfos*> m_Hash2CandidateList;
   CFX_MapPtrTemplate<uint32_t, CFX_ArrayTemplate<CFGAS_GEFont*>*> m_Hash2Fonts;
   CFX_MapPtrTemplate<CFGAS_GEFont*, IFX_FileRead*> m_IFXFont2FileRead;
-- 
cgit v1.2.3