Index: xfa/fxfa/include/xfa_ffapp.h |
diff --git a/xfa/fxfa/include/xfa_ffapp.h b/xfa/fxfa/include/xfa_ffapp.h |
index bc0d6dfb38db1b144821497bea0c6f27da3e397c..90bfcc024077a8e0b3a481fc7164d3c1d51eebfb 100644 |
--- a/xfa/fxfa/include/xfa_ffapp.h |
+++ b/xfa/fxfa/include/xfa_ffapp.h |
@@ -63,13 +63,26 @@ class CXFA_FFApp { |
protected: |
std::unique_ptr<CXFA_FFDocHandler> m_pDocHandler; |
IXFA_AppProvider* const m_pProvider; |
+ |
+ // The fonts stored in the font manager may have been created by the default |
+ // font manager. The GEFont::LoadFont call takes the manager as a param and |
+ // stores it internally. When you destroy the GEFont it tries to unregister |
+ // from the font manager and if the default font manager was destroyed first |
+ // get get a use-after-free. The m_pFWLTheme can try to cleanup a GEFont |
+ // when it frees, so make sure it gets cleaned up first. That requires |
+ // m_pFWLApp to be cleaned up as well. |
+ // |
+ // TODO(dsinclair): The GEFont should have the FontMgr as the pointer instead |
+ // of the DEFFontMgr so this goes away. Bug 561. |
+ std::unique_ptr<IFGAS_FontMgr> m_pFDEFontMgr; |
std::unique_ptr<CXFA_FontMgr> m_pFontMgr; |
+ |
#if _FXM_PLATFORM_ != _FXM_PLATFORM_WINDOWS_ |
std::unique_ptr<CFX_FontSourceEnum_File> m_pFontSource; |
#endif |
std::unique_ptr<CXFA_FWLAdapterWidgetMgr> m_pAdapterWidgetMgr; |
CFWL_WidgetMgrDelegate* m_pWidgetMgrDelegate; // not owned. |
- std::unique_ptr<IFGAS_FontMgr> m_pFDEFontMgr; |
+ |
// |m_pFWLApp| has to be released first, then |m_pFWLTheme| since the former |
// may refers to theme manager and the latter refers to font manager. |
std::unique_ptr<CXFA_FWLTheme> m_pFWLTheme; |