Fix UAF in CFGAS_FontMgr::FindFont Fix an use-after-free issue which was introduced by commit 53279b1dcabae4913f7f0a58e741942e82ab7d59. Bug: chromium:832589 Change-Id: Id7da791c3aa2d71d0a9e56d062069f41b7eb48d1 Reviewed-on: https://pdfium-review.googlesource.com/30570 Commit-Queue: Lei Zhang <thestig@chromium.org> Reviewed-by: Lei Zhang <thestig@chromium.org>

commit: d5624a47bcaad45f6fcb30ad03b6e474f5cee17e [log] [tgz]
author: Ke Liu <stackexploit@gmail.com> Mon Apr 16 05:19:07 2018 +0000
committer: Chromium commit bot <commit-bot@chromium.org> Mon Apr 16 05:19:07 2018 +0000
tree: ddaaf60b6f0afa4bd2cfc499c7d9f41d7c06204c
parent: b71d24c1affe8648963ba5024b62e5dbf4479ae2 [diff]
diff --git a/xfa/fgas/font/cfgas_fontmgr.cpp b/xfa/fgas/font/cfgas_fontmgr.cpp
index b4e6bdc..d7acc62 100644
--- a/xfa/fgas/font/cfgas_fontmgr.cpp
+++ b/xfa/fgas/font/cfgas_fontmgr.cpp

@@ -229,8 +229,12 @@
   if (!pszFontFamily)
     return nullptr;
 
+  // Use a named object to store the returned value of EnumGdiFonts() instead
+  // of using a temporary object. This can prevent use-after-free issues since
+  // pDesc may point to one of std::deque object's elements.
+  std::deque<FX_FONTDESCRIPTOR> namedFonts = EnumGdiFonts(pszFontFamily, wUnicode);
   params.pwsFamily = nullptr;
-  pDesc = MatchDefaultFont(&params, EnumGdiFonts(pszFontFamily, wUnicode));
+  pDesc = MatchDefaultFont(&params, namedFonts);
   if (!pDesc)
     return nullptr;
commit	d5624a47bcaad45f6fcb30ad03b6e474f5cee17e	[log] [tgz]
author	Ke Liu <stackexploit@gmail.com>	Mon Apr 16 05:19:07 2018 +0000
committer	Chromium commit bot <commit-bot@chromium.org>	Mon Apr 16 05:19:07 2018 +0000
tree	ddaaf60b6f0afa4bd2cfc499c7d9f41d7c06204c
parent	b71d24c1affe8648963ba5024b62e5dbf4479ae2 [diff]