From 783a7e048c677d26aaf3884304627bbe27cff546 Mon Sep 17 00:00:00 2001 From: tsepez Date: Tue, 17 Jan 2017 11:05:57 -0800 Subject: Avoid endless loop deleting CFGAS_GEFont. It's a ref-counted class, so if we're in the destructor, the ref count has hit zero. We can't make a new ref pointer to itself here, as it will re-invoke the destructor when it goes out of scope. This should have been an obvious anti-pattern in hindsight. The object in question can't be in the m_pFontManager, since the font manager retains a reference, and we wouldn't get to this destructor while that is present. So the cleanup isn't required. Fixing this revealed a free-delete mismatch in cxfa_textlayout.cpp. I also converted to use unique_ptrs in a few places near this issue. Fixing this revealed a UAF in CFGAS_GEFont, memcpy'ing a RetainPtr is not a good idea as it doesn't bump the ref count. Also protect and friend the CFGAS_GEFont destructor, to make sure random deletes don't happen. Also kill off a const cast, and remove unnecessary conversion to retain_ptr when we already have one. TEST=look for absence of -11 in XFA corpus test logs, bots not currently noticing the segv. Argh. Review-Url: https://codereview.chromium.org/2631703003 --- xfa/fxfa/app/xfa_fftext.cpp | 21 ++++++++------------- 1 file changed, 8 insertions(+), 13 deletions(-) (limited to 'xfa/fxfa/app/xfa_fftext.cpp') diff --git a/xfa/fxfa/app/xfa_fftext.cpp b/xfa/fxfa/app/xfa_fftext.cpp index 2307ea0dc4..3d2c9a6ea0 100644 --- a/xfa/fxfa/app/xfa_fftext.cpp +++ b/xfa/fxfa/app/xfa_fftext.cpp @@ -153,22 +153,17 @@ FWL_WidgetHit CXFA_FFText::OnHitTest(FX_FLOAT fx, FX_FLOAT fy) { } const FX_WCHAR* CXFA_FFText::GetLinkURLAtPoint(FX_FLOAT fx, FX_FLOAT fy) { CXFA_TextLayout* pTextLayout = m_pDataAcc->GetTextLayout(); - if (!pTextLayout) { + if (!pTextLayout) return nullptr; - } - FX_FLOAT x(fx), y(fy); + + FX_FLOAT x(fx); + FX_FLOAT y(fy); FWLToClient(x, y); - const CFX_ArrayTemplate* pPieceLines = - pTextLayout->GetPieceLines(); - int32_t iCount = pPieceLines->GetSize(); - for (int32_t i = 0; i < iCount; i++) { - CXFA_PieceLine* pPieceLine = pPieceLines->GetAt(i); - int32_t iPieces = pPieceLine->m_textPieces.GetSize(); - for (int32_t j = 0; j < iPieces; j++) { - XFA_TextPiece* pPiece = pPieceLine->m_textPieces.GetAt(j); - if (pPiece->pLinkData && pPiece->rtPiece.Contains(x, y)) { + + for (const auto& pPieceLine : *pTextLayout->GetPieceLines()) { + for (const auto& pPiece : pPieceLine->m_textPieces) { + if (pPiece->pLinkData && pPiece->rtPiece.Contains(x, y)) return pPiece->pLinkData->GetLinkURL(); - } } } return nullptr; -- cgit v1.2.3