Fix use-after-free in CPDF_Color::~CPDF_Color

core/src/fpdfapi/fpdf_page/fpdf_page_pattern.cpp

 // Copyright 2014 PDFium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
  
 // Original code copyright 2014 Foxit Software Inc. http://www.foxitsoftware.com
 
 #include "../../../include/fpdfapi/fpdf_page.h"
 #include "pageint.h"
+
+CPDF_Pattern::CPDF_Pattern(const CFX_AffineMatrix* pParentMatrix)
+{
+    m_pPatternObj = NULL;

[Tom Sepez, 2014/08/05 17:34:15]

nit: these can (and should) occur as part of a : - style initializer list before
the first {.

[jun_fang, 2014/08/05 18:21:40]

OK. I will update them in the next patch.

+    m_PatternType = PATTERN_TILING;
+    m_pDocument   = NULL;
+    m_pColor      = NULL;
+
+    if (pParentMatrix) {
+        m_ParentMatrix = *pParentMatrix;
+    }
+}
+
+CPDF_Pattern::~CPDF_Pattern()
+{
+    if (m_pColor) {
+        m_pColor->SetValue(NULL, NULL, 0);
+        m_pColor = NULL;

[Tom Sepez, 2014/08/05 17:34:14]

Do we leak m_pColor here? Who owns this memory?

[jun_fang, 2014/08/05 18:21:39]

No. m_pColor refers to the object of CPDF_Color by calling
pPattern->SaveColor(this). We save a reference, m_pColor, in CPDF_Pattern so
that we can inform CPDF_Color to set the saved pointer of pattern to NULL when
the object of CPDF_Pattern is deconstructed.

+    }
+}
 CPDF_TilingPattern::CPDF_TilingPattern(CPDF_Document* pDoc, CPDF_Object* pPatternObj, const CFX_AffineMatrix* parentMatrix) :
     CPDF_Pattern(parentMatrix)
 {
     m_PatternType = PATTERN_TILING;
     m_pPatternObj = pPatternObj;
     m_pDocument = pDoc;
+    m_pColor = NULL;

[Tom Sepez, 2014/08/05 17:34:14]

m_pColor is nulled in the parent class constructor.

[jun_fang, 2014/08/05 18:21:40]

I will update it in the next patch.

     CPDF_Dictionary* pDict = m_pPatternObj->GetDict();
     ASSERT(pDict != NULL);
     m_Pattern2Form = pDict->GetMatrix(FX_BSTRC("Matrix"));
     m_bColored = pDict->GetInteger(FX_BSTRC("PaintType")) == 1;
     if (parentMatrix) {
         m_Pattern2Form.Concat(*parentMatrix);
     }
     m_pForm = NULL;
 }
 CPDF_TilingPattern::~CPDF_TilingPattern()
 {
     if (m_pForm) {
         delete m_pForm;
+        m_pForm = NULL;
     }
 }
 FX_BOOL CPDF_TilingPattern::Load()
 {
     if (m_pForm != NULL) {
         return TRUE;
     }
     CPDF_Dictionary* pDict = m_pPatternObj->GetDict();
     if (pDict == NULL) {
         return FALSE;
     }
     m_bColored = pDict->GetInteger(FX_BSTRC("PaintType")) == 1;
     m_XStep = (FX_FLOAT)FXSYS_fabs(pDict->GetNumber(FX_BSTRC("XStep")));
     m_YStep = (FX_FLOAT)FXSYS_fabs(pDict->GetNumber(FX_BSTRC("YStep")));
     if (m_pPatternObj->GetType() != PDFOBJ_STREAM) {
         return FALSE;
     }
     CPDF_Stream* pStream = (CPDF_Stream*)m_pPatternObj;
     m_pForm = FX_NEW CPDF_Form(m_pDocument, NULL, pStream);
     m_pForm->ParseContent(NULL, &m_ParentMatrix, NULL, NULL);
     m_BBox = pDict->GetRect(FX_BSTRC("BBox"));
     return TRUE;
 }
 CPDF_ShadingPattern::CPDF_ShadingPattern(CPDF_Document* pDoc, CPDF_Object* pPatternObj, FX_BOOL bShading, const CFX_AffineMatrix* parentMatrix) : CPDF_Pattern(parentMatrix)
 {
     m_PatternType = PATTERN_SHADING;
     m_pPatternObj = bShading ? NULL : pPatternObj;
     m_pDocument = pDoc;
+    m_pColor = NULL;
     m_bShadingObj = bShading;
     if (!bShading) {
         CPDF_Dictionary* pDict = m_pPatternObj->GetDict();
         ASSERT(pDict != NULL);
         m_Pattern2Form = pDict->GetMatrix(FX_BSTRC("Matrix"));
         m_pShadingObj = pDict->GetElementValue(FX_BSTRC("Shading"));
         if (parentMatrix) {
             m_Pattern2Form.Concat(*parentMatrix);
         }
     } else {
@@ skipping 203 matching lines @@
             }
         }
         stream.m_BitStream.SkipBits(stream.m_nComps * stream.m_nCompBits * color_count);
         if (bGouraud) {
             stream.m_BitStream.ByteAlign();
         }
     }
     rect.Transform(pMatrix);
     return rect;
 }