[XFA] Force destruction order of font managers.

xfa/fxfa/app/xfa_ffapp.cpp

Index: xfa/fxfa/app/xfa_ffapp.cpp
diff --git a/xfa/fxfa/app/xfa_ffapp.cpp b/xfa/fxfa/app/xfa_ffapp.cpp
index 18e2d76552cf80275617ac045a969d16aa0238ec..d5259a2f5776c09722af1187634e44423f4145fe 100644
--- a/xfa/fxfa/app/xfa_ffapp.cpp
+++ b/xfa/fxfa/app/xfa_ffapp.cpp
@@ -88,6 +88,21 @@ CXFA_FFApp::~CXFA_FFApp() {
   }
 
   CXFA_TimeZoneProvider::Destroy();
+
+  // The fonts stored in the font manager may have been created by the default
+  // font manager. The GEFont::LoadFont call takes the manager as a param and
+  // stores it internally. When you destroy the GEFont it tries to unregister
+  // from the font manager and if the default font manager was destroyed first
+  // get get a use-after-free. The m_pFWLTheme can try to cleanup a GEFont
+  // when it frees, so make sure it gets cleaned up first. That requires
+  // m_pFWLApp to be cleaned up as well.
+  //
+  // TODO(dsinclair): The GEFont should have the FontMgr as the pointer instead
+  // of the DEFFontMgr so this goes away. Bug 561.
+  m_pFWLApp.reset();
+  m_pFWLTheme.reset();
+  m_pFontMgr.reset();
+  m_pFDEFontMgr.reset();

[Wei Li, 2016/08/18 22:10:58]

Can you just exchange the order of |m_pFDEFontMgr| and |m_pFontMgr| in the
header? 

[dsinclair, 2016/08/23 13:59:43]

Done.

 }
 
 CXFA_FFDocHandler* CXFA_FFApp::GetDocHandler() {