Use refcounting for |SkiaState::m_pTypeFace|.

Otherwise the CFX_TypeFace object SkiaState points to may get destroyed
to create a dangling pointer.

Bug: chromium:981785
Change-Id: I5ea2402d9d5320f266b7eb5b48b9eb16e5170278
Reviewed-on: https://pdfium-review.googlesource.com/c/pdfium/+/57491
Reviewed-by: Mike Reed <reed@google.com>
Commit-Queue: Lei Zhang <thestig@chromium.org>
diff --git a/core/fxge/skia/fx_skia_device.cpp b/core/fxge/skia/fx_skia_device.cpp
index 21ce1f7..4169766 100644
--- a/core/fxge/skia/fx_skia_device.cpp
+++ b/core/fxge/skia/fx_skia_device.cpp
@@ -878,7 +878,10 @@
     if (Accumulator::kText != m_type) {
       m_positions.setCount(0);
       m_glyphs.setCount(0);
-      m_pTypeFace = pFont->GetFaceRec() ? pFont->GetDeviceCache() : nullptr;
+      if (pFont->GetFaceRec())
+        m_pTypeFace.reset(SkSafeRef(pFont->GetDeviceCache()));
+      else
+        m_pTypeFace.reset();
       m_fontSize = font_size;
       m_scaleX = scaleX;
       m_fillColor = color;
@@ -942,8 +945,7 @@
 
     SkFont font;
     if (m_pTypeFace) {  // exclude placeholder test fonts
-      sk_sp<SkTypeface> typeface(SkSafeRef(m_pTypeFace.Get()));
-      font.setTypeface(typeface);
+      font.setTypeface(m_pTypeFace);
     }
     font.setHinting(SkFontHinting::kNone);
     font.setScaleX(m_scaleX);
@@ -1137,7 +1139,7 @@
                    uint32_t color) const {
     CFX_TypeFace* typeface =
         pFont->GetFaceRec() ? pFont->GetDeviceCache() : nullptr;
-    return typeface != m_pTypeFace || MatrixChanged(&matrix) ||
+    return typeface != m_pTypeFace.get() || MatrixChanged(&matrix) ||
            font_size != m_fontSize || scaleX != m_scaleX ||
            color != m_fillColor;
   }
@@ -1430,7 +1432,7 @@
   CFX_GraphStateData m_drawState;
   CFX_Matrix m_clipMatrix;
   UnownedPtr<CFX_SkiaDeviceDriver> const m_pDriver;
-  UnownedPtr<CFX_TypeFace> m_pTypeFace;
+  sk_sp<CFX_TypeFace> m_pTypeFace;
   float m_fontSize = 0;
   float m_scaleX = 0;
   uint32_t m_fillColor = 0;