Avoid a potentially dangling pointer in CPDF_PageImageCache. Bug: chromium:1412236 Change-Id: Ia10861193888ea0329e7006c771cf46101609099 Reviewed-on: https://pdfium-review.googlesource.com/c/pdfium/+/103504 Commit-Queue: Lei Zhang <thestig@chromium.org> Reviewed-by: Tom Sepez <tsepez@chromium.org>

commit: a5ec3a4a1b595cfae58de46f94e81f8833d7dd26 [log] [tgz]
author: Lei Zhang <thestig@chromium.org> Thu Feb 02 21:12:26 2023 +0000
committer: Pdfium LUCI CQ <pdfium-scoped@luci-project-accounts.iam.gserviceaccount.com> Thu Feb 02 21:12:26 2023 +0000
tree: 1d10c323b23a2eb61d10f0e2be6f80df8e63f2d7
parent: bac72b00c4491af72c41f5d36182d2cea788d2d1 [diff]
diff --git a/core/fpdfapi/page/cpdf_pageimagecache.cpp b/core/fpdfapi/page/cpdf_pageimagecache.cpp
index ae8f72e..497cd8b 100644
--- a/core/fpdfapi/page/cpdf_pageimagecache.cpp
+++ b/core/fpdfapi/page/cpdf_pageimagecache.cpp

@@ -73,6 +73,13 @@
     return;
 
   m_nCacheSize -= it->second->EstimateSize();
+
+  // Avoid leaving `m_pCurImageCacheEntry` as a dangling pointer when `it` is
+  // about to be deleted.
+  if (m_pCurImageCacheEntry.Get() == it->second.get()) {
+    DCHECK(!m_pCurImageCacheEntry.IsOwned());
+    m_pCurImageCacheEntry.Reset();
+  }
   m_ImageCache.erase(it);
 }
commit	a5ec3a4a1b595cfae58de46f94e81f8833d7dd26	[log] [tgz]
author	Lei Zhang <thestig@chromium.org>	Thu Feb 02 21:12:26 2023 +0000
committer	Pdfium LUCI CQ <pdfium-scoped@luci-project-accounts.iam.gserviceaccount.com>	Thu Feb 02 21:12:26 2023 +0000
tree	1d10c323b23a2eb61d10f0e2be6f80df8e63f2d7
parent	bac72b00c4491af72c41f5d36182d2cea788d2d1 [diff]