Fix "heap use after free" bug.

core/fpdfapi/fpdf_render/fpdf_render_image.cpp

 // Copyright 2014 PDFium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 // Original code copyright 2014 Foxit Software Inc. http://www.foxitsoftware.com
 
 #include "core/fpdfapi/fpdf_render/render_int.h"
 
 #include <memory>
 #include <utility>
@@ skipping 972 matching lines @@
   FXDIB_Format format;
 #if _FXM_PLATFORM_ == _FXM_PLATFORM_APPLE_ || defined _SKIA_SUPPORT_
   format = bLuminosity ? FXDIB_Rgb32 : FXDIB_8bppMask;
 #else
   format = bLuminosity ? FXDIB_Rgb : FXDIB_8bppMask;
 #endif
   if (!bitmap_device.Create(width, height, format, nullptr))
     return nullptr;
 
   CFX_DIBitmap& bitmap = *bitmap_device.GetBitmap();
-  CPDF_Object* pCSObj = nullptr;
-  CPDF_ColorSpace* pCS = nullptr;
+  int color_space_family = 0;
   if (bLuminosity) {
     CPDF_Array* pBC = pSMaskDict->GetArrayFor("BC");
     FX_ARGB back_color = 0xff000000;
     if (pBC) {
+      CPDF_Object* pCSObj = nullptr;
       CPDF_Dictionary* pDict = pGroup->GetDict();
-      if (pDict && pDict->GetDictFor("Group"))
+      if (pDict && pDict->GetDictFor("Group")) {
         pCSObj = pDict->GetDictFor("Group")->GetDirectObjectFor("CS");
-      else
-        pCSObj = nullptr;
-      pCS = m_pContext->GetDocument()->LoadColorSpace(pCSObj);
+      }
+      const CPDF_ColorSpace* pCS =
+          m_pContext->GetDocument()->LoadColorSpace(pCSObj);
       if (pCS) {
+        // Store Color Space Family to use in CPDF_RenderStatus::Initialize.
+        color_space_family = pCS->GetFamily();
+
         FX_FLOAT R, G, B;
         uint32_t comps = 8;
         if (pCS->CountComponents() > comps) {
           comps = pCS->CountComponents();
         }
         CFX_FixedBufGrow<FX_FLOAT, 8> float_array(comps);
         FX_FLOAT* pFloats = float_array;
         FX_SAFE_UINT32 num_floats = comps;
         num_floats *= sizeof(FX_FLOAT);
         if (!num_floats.IsValid()) {
@@ skipping 16 matching lines @@
   }
   CPDF_Dictionary* pFormResource = nullptr;
   if (form.m_pFormDict) {
     pFormResource = form.m_pFormDict->GetDictFor("Resources");
   }
   CPDF_RenderOptions options;
   options.m_ColorMode = bLuminosity ? RENDER_COLOR_NORMAL : RENDER_COLOR_ALPHA;
   CPDF_RenderStatus status;
   status.Initialize(m_pContext, &bitmap_device, nullptr, nullptr, nullptr,
                     nullptr, &options, 0, m_bDropObjects, pFormResource, TRUE,
-                    nullptr, 0, pCS ? pCS->GetFamily() : 0, bLuminosity);
+                    nullptr, 0, color_space_family, bLuminosity);
   status.RenderObjectList(&form, &matrix);
   std::unique_ptr<CFX_DIBitmap> pMask(new CFX_DIBitmap);
   if (!pMask->Create(width, height, FXDIB_8bppMask))
     return nullptr;
 
   uint8_t* dest_buf = pMask->GetBuffer();
   int dest_pitch = pMask->GetPitch();
   uint8_t* src_buf = bitmap.GetBuffer();
   int src_pitch = bitmap.GetPitch();
   std::vector<uint8_t> transfers(256);
@@ skipping 23 matching lines @@
   } else if (pFunc) {
     int size = dest_pitch * height;
     for (int i = 0; i < size; i++) {
       dest_buf[i] = transfers[src_buf[i]];
     }
   } else {
     FXSYS_memcpy(dest_buf, src_buf, dest_pitch * height);
   }
   return pMask.release();
 }