Font is used after release in CPDF_TextStateData::~CPDF_TextStateData

core/src/fpdfapi/fpdf_page/fpdf_page_graph_state.cpp

Index: core/src/fpdfapi/fpdf_page/fpdf_page_graph_state.cpp
diff --git a/core/src/fpdfapi/fpdf_page/fpdf_page_graph_state.cpp b/core/src/fpdfapi/fpdf_page/fpdf_page_graph_state.cpp
index 8053718c190fef0413ae94c8a1857a2a30f136ca..4227dcd62c4b7992ab7a31eb4853203900c1faa1 100644
--- a/core/src/fpdfapi/fpdf_page/fpdf_page_graph_state.cpp
+++ b/core/src/fpdfapi/fpdf_page/fpdf_page_graph_state.cpp
@@ -285,6 +285,7 @@ void CPDF_ColorState::SetStrokePattern(CPDF_Pattern* pPattern, FX_FLOAT* pValue,
 CPDF_TextStateData::CPDF_TextStateData()
 {
     m_pFont = NULL;
+    m_pDocument = NULL;
     m_FontSize = 1.0f;
     m_WordSpace = 0;
     m_CharSpace = 0;
@@ -296,27 +297,35 @@ CPDF_TextStateData::CPDF_TextStateData()
 }
 CPDF_TextStateData::CPDF_TextStateData(const CPDF_TextStateData& src)
 {
+    if (this == &src) {
+        return;
+    }
     FXSYS_memcpy32(this, &src, sizeof(CPDF_TextStateData));
-    if (m_pFont && m_pFont->m_pDocument) {
-        m_pFont = m_pFont->m_pDocument->GetPageData()->GetFont(m_pFont->GetFontDict(), FALSE);
+    if (m_pDocument) {

[Tom Sepez, 2014/08/18 22:34:16]

Are we sure that removing the m_pFont test is OK?  You removed one m_pFont->
frome the next line, but there's still a m_pFont->GetFontDict() call buried in
the arguments ...

[jun_fang, 2014/08/18 22:59:31]

At line 304, I will change it back as below:
if (m_pDocument && m_pFont) {

+        m_pFont = m_pDocument->GetPageData()->GetFont(m_pFont->GetFontDict(), FALSE);
     }
 }
 CPDF_TextStateData::~CPDF_TextStateData()
 {
-    CPDF_Font* pFont = m_pFont;
-    if (pFont && pFont->m_pDocument) {
-        pFont->m_pDocument->GetPageData()->ReleaseFont(pFont->GetFontDict());
+    if (m_pDocument) {

[Tom Sepez, 2014/08/18 22:09:22]

nit: this test could be (m_pDocument && m_pFont) since we test m_pFont below
after doing some work that could be avoided if we don't have one.

+        CPDF_DocPageData *pPageData = m_pDocument->GetPageData();
+        if (pPageData && m_pFont && !pPageData->IsForceClear()) {
+            pPageData->ReleaseFont(m_pFont->GetFontDict());
+        }
     }
 }
 void CPDF_TextState::SetFont(CPDF_Font* pFont)
 {
-    CPDF_Font*& pStateFont = GetModify()->m_pFont;
-    CPDF_DocPageData* pDocPageData = NULL;
-    if (pStateFont && pStateFont->m_pDocument) {
-        pDocPageData = pStateFont->m_pDocument->GetPageData();
-        pDocPageData->ReleaseFont(pStateFont->GetFontDict());
+    CPDF_TextStateData* pStateData = GetModify();
+    CPDF_Document* pDoc = pStateData ? pStateData->m_pDocument : NULL;

[Tom Sepez, 2014/08/18 22:09:22]

nit: can move this inside the if (pStateData) test on the next line and avoid
the ?-operator.

+    if (pStateData) {
+        CPDF_DocPageData *pPageData = pDoc ? pDoc->GetPageData() : NULL;
+        if (pPageData && pStateData->m_pFont && !pPageData->IsForceClear()) {
+            pPageData->ReleaseFont(pStateData->m_pFont->GetFontDict());
+        }
+        pStateData->m_pDocument = pFont ? pFont->m_pDocument : NULL;
+        pStateData->m_pFont = pFont;
     }
-    pStateFont = pFont;
 }
 FX_FLOAT CPDF_TextState::GetFontSizeV() const
 {