Use refcounting for |SkiaState::m_pTypeFace|.
Otherwise the CFX_TypeFace object SkiaState points to may get destroyed
to create a dangling pointer.
Bug: chromium:981785
Change-Id: I5ea2402d9d5320f266b7eb5b48b9eb16e5170278
Reviewed-on: https://pdfium-review.googlesource.com/c/pdfium/+/57491
Reviewed-by: Mike Reed <reed@google.com>
Commit-Queue: Lei Zhang <thestig@chromium.org>
diff --git a/core/fxge/skia/fx_skia_device.cpp b/core/fxge/skia/fx_skia_device.cpp
index 21ce1f7..4169766 100644
--- a/core/fxge/skia/fx_skia_device.cpp
+++ b/core/fxge/skia/fx_skia_device.cpp
@@ -878,7 +878,10 @@
if (Accumulator::kText != m_type) {
m_positions.setCount(0);
m_glyphs.setCount(0);
- m_pTypeFace = pFont->GetFaceRec() ? pFont->GetDeviceCache() : nullptr;
+ if (pFont->GetFaceRec())
+ m_pTypeFace.reset(SkSafeRef(pFont->GetDeviceCache()));
+ else
+ m_pTypeFace.reset();
m_fontSize = font_size;
m_scaleX = scaleX;
m_fillColor = color;
@@ -942,8 +945,7 @@
SkFont font;
if (m_pTypeFace) { // exclude placeholder test fonts
- sk_sp<SkTypeface> typeface(SkSafeRef(m_pTypeFace.Get()));
- font.setTypeface(typeface);
+ font.setTypeface(m_pTypeFace);
}
font.setHinting(SkFontHinting::kNone);
font.setScaleX(m_scaleX);
@@ -1137,7 +1139,7 @@
uint32_t color) const {
CFX_TypeFace* typeface =
pFont->GetFaceRec() ? pFont->GetDeviceCache() : nullptr;
- return typeface != m_pTypeFace || MatrixChanged(&matrix) ||
+ return typeface != m_pTypeFace.get() || MatrixChanged(&matrix) ||
font_size != m_fontSize || scaleX != m_scaleX ||
color != m_fillColor;
}
@@ -1430,7 +1432,7 @@
CFX_GraphStateData m_drawState;
CFX_Matrix m_clipMatrix;
UnownedPtr<CFX_SkiaDeviceDriver> const m_pDriver;
- UnownedPtr<CFX_TypeFace> m_pTypeFace;
+ sk_sp<CFX_TypeFace> m_pTypeFace;
float m_fontSize = 0;
float m_scaleX = 0;
uint32_t m_fillColor = 0;