Reset context after running CXFA_TextLayout::LayoutInternal().
LayoutInternal() runs in a loop, but the conditions for when to reset
the context is not reachable. The caller to LayoutInternal() loops over
index values [0, N), but the check for when the index reaches N is in
LayoutInternal(). As a result, the context never resets in a timely
manner and instead resets when CXFA_TextLayout is destroyed. At which
time, CXFA_LoaderContext may have members that are dangling pointers.
Fix this by resetting the context after all the LayoutInternal() calls
finish.
Bug: chromium:997412
Change-Id: I17685e1cce951f35c8b70f8ee820ad81a5cbb209
Reviewed-on: https://pdfium-review.googlesource.com/c/pdfium/+/70517
Commit-Queue: Lei Zhang <thestig@chromium.org>
Reviewed-by: Tom Sepez <tsepez@chromium.org>
diff --git a/testing/SUPPRESSIONS b/testing/SUPPRESSIONS
index da51760..d402dec 100644
--- a/testing/SUPPRESSIONS
+++ b/testing/SUPPRESSIONS
@@ -348,6 +348,8 @@
# xfa_specific
+# TODO(pdfium:1095): Remove after associated bug is fixed
+bug_997412.in win * *
# TODO(pdfium:1107): Remove after associated bug is fixed
standard_symbols.pdf * * *
# TODO(pdfium:1168): Remove after associated bug is fixed
diff --git a/testing/resources/pixel/xfa_specific/use_ahem/bug_997412.in b/testing/resources/pixel/xfa_specific/use_ahem/bug_997412.in
new file mode 100644
index 0000000..ecda561
--- /dev/null
+++ b/testing/resources/pixel/xfa_specific/use_ahem/bug_997412.in
@@ -0,0 +1,35 @@
+{{header}}
+{{include ../../../xfa_catalog_1_0.fragment}}
+{{include ../../../xfa_object_2_0.fragment}}
+{{include ../../../xfa_preamble_3_0.fragment}}
+{{include ../../../xfa_config_4_0.fragment}}
+{{object 5 0}} <<
+ {{streamlen}}
+>>
+stream
+<template xmlns="http://www.xfa.org/schema/xfa-template/3.3/">
+ <subform layout="rl-tb" name="subform1">
+ <pageSet>
+ <pageArea name="Page1" id="Page1">
+ <contentArea x="18pt" y="18pt" w="612pt" h="792pt"/>
+ <medium stock="default" short="612pt" long="792pt"/>
+ </pageArea>
+ </pageSet>
+ <field h="3000pt" name="Field1">
+ <font typeface="Ahem" size="20pt"/>
+ <value>
+ <text>foo
+<!-- Intentionally formatted to trigger bug //--></text>
+ </value>
+ </field>
+ </subform>
+</template>
+endstream
+endobj
+{{include ../../../xfa_locale_6_0.fragment}}
+{{include ../../../xfa_postamble_7_0.fragment}}
+{{include ../../../xfa_pages_8_0.fragment}}
+{{xref}}
+{{trailer}}
+{{startxref}}
+%%EOF
diff --git a/testing/resources/pixel/xfa_specific/use_ahem/bug_997412_expected.pdf.0.png b/testing/resources/pixel/xfa_specific/use_ahem/bug_997412_expected.pdf.0.png
new file mode 100644
index 0000000..08c11b0
--- /dev/null
+++ b/testing/resources/pixel/xfa_specific/use_ahem/bug_997412_expected.pdf.0.png
Binary files differ
diff --git a/testing/resources/pixel/xfa_specific/use_ahem/bug_997412_expected.pdf.1.png b/testing/resources/pixel/xfa_specific/use_ahem/bug_997412_expected.pdf.1.png
new file mode 100644
index 0000000..7734ff7
--- /dev/null
+++ b/testing/resources/pixel/xfa_specific/use_ahem/bug_997412_expected.pdf.1.png
Binary files differ
diff --git a/xfa/fxfa/cxfa_textlayout.cpp b/xfa/fxfa/cxfa_textlayout.cpp
index 7b782d4..bbe877e 100644
--- a/xfa/fxfa/cxfa_textlayout.cpp
+++ b/xfa/fxfa/cxfa_textlayout.cpp
@@ -523,10 +523,6 @@
LoadText(pNode, szText.width, &fLinePos, true);
}
}
- if (szBlockIndex == m_Blocks.size()) {
- m_pTabstopContext.reset();
- m_pLoader.reset();
- }
return true;
}
@@ -576,6 +572,8 @@
size_t szBlockCount = CountBlocks();
for (size_t i = 0; i < szBlockCount; ++i)
LayoutInternal(i);
+ m_pTabstopContext.reset();
+ m_pLoader.reset();
}
std::vector<TextCharPos> char_pos(1);
