Fix use-after-free in CPDF_Color::~CPDF_Color

core/src/fpdfapi/fpdf_page/fpdf_page_pattern.cpp

Index: core/src/fpdfapi/fpdf_page/fpdf_page_pattern.cpp
diff --git a/core/src/fpdfapi/fpdf_page/fpdf_page_pattern.cpp b/core/src/fpdfapi/fpdf_page/fpdf_page_pattern.cpp
index 8cb6dc77dc85d531333da8b5507f4aabdc1df039..fb7983ce1edbe4dbba5e78e134e58b4ec55705e9 100644
--- a/core/src/fpdfapi/fpdf_page/fpdf_page_pattern.cpp
+++ b/core/src/fpdfapi/fpdf_page/fpdf_page_pattern.cpp
@@ -6,12 +6,21 @@
 
 #include "../../../include/fpdfapi/fpdf_page.h"
 #include "pageint.h"
+
+CPDF_Pattern::~CPDF_Pattern()
+{
+    if (m_pColor) {
+        m_pColor->SetValue(NULL, NULL, 0);
+    }
+    m_pColor = NULL;

[Tom Sepez, 2014/08/04 18:02:32]

This can move inside the if {} since its already NULL if the if-branch isn't
taken.

[palmer, 2014/08/04 18:17:11]

Alternately, save a level of indentation:

if (!m_pColor)
    return;

m_pColor->SetValue(NULL, NULL, 0);
m_pColor = NULL;

[jun_fang, 2014/08/04 18:37:11]

Acknowledge

+}
 CPDF_TilingPattern::CPDF_TilingPattern(CPDF_Document* pDoc, CPDF_Object* pPatternObj, const CFX_AffineMatrix* parentMatrix) :
     CPDF_Pattern(parentMatrix)
 {
     m_PatternType = PATTERN_TILING;
     m_pPatternObj = pPatternObj;
     m_pDocument = pDoc;
+    m_pColor = NULL;
     CPDF_Dictionary* pDict = m_pPatternObj->GetDict();
     ASSERT(pDict != NULL);
     m_Pattern2Form = pDict->GetMatrix(FX_BSTRC("Matrix"));
@@ -25,6 +34,7 @@ CPDF_TilingPattern::~CPDF_TilingPattern()
 {
     if (m_pForm) {
         delete m_pForm;
+        m_pForm = NULL;
     }
 }
 FX_BOOL CPDF_TilingPattern::Load()
@@ -53,6 +63,7 @@ CPDF_ShadingPattern::CPDF_ShadingPattern(CPDF_Document* pDoc, CPDF_Object* pPatt
     m_PatternType = PATTERN_SHADING;
     m_pPatternObj = bShading ? NULL : pPatternObj;
     m_pDocument = pDoc;
+    m_pColor = NULL;
     m_bShadingObj = bShading;
     if (!bShading) {
         CPDF_Dictionary* pDict = m_pPatternObj->GetDict();