Google Git
Sign in
skia / skia / 463d729cd6db7e06babddbe351c8df4b7789ba5b^! / .
commit463d729cd6db7e06babddbe351c8df4b7789ba5b[log] [tgz]
authorAnthony Catel <paraboul@gmail.com>Wed Jun 03 11:57:19 2020 +0200
committerSkia Commit-Bot <skia-commit-bot@chromium.org>Wed Jun 03 14:19:48 2020 +0000
treec2965a1067a4cc87ce2b33ff2a0e64fa1f42cd66
parent5b4a80ad22de9c2d124139284774c556abc10bc2 [diff]
Fix an "use-after-move" in SkFontMgr_custom_embedded.

If a font file has more than one face (e.g. from a .ttc file), the unique_ptr storing the SkMemoryStream instance was reused after being moved, leading to NULL pointer deference in SkTypeface_FreeType::Scanner::openFace()

Bug: skia: https://bugs.chromium.org/p/skia/issues/detail?id=10322
Change-Id: I99a53a240a5e7112cd3e67d8c74ff951a9044688
Reviewed-on: https://skia-review.googlesource.com/c/skia/+/293519
Reviewed-by: Kevin Lubick <kjlubick@google.com>
Reviewed-by: Mike Klein <mtklein@google.com>
Commit-Queue: Mike Klein <mtklein@google.com>

diff --git a/src/ports/SkFontHost_FreeType.cpp b/src/ports/SkFontHost_FreeType.cpp
index 35b87bb..5a6f6d7 100644
--- a/src/ports/SkFontHost_FreeType.cpp
+++ b/src/ports/SkFontHost_FreeType.cpp

@@ -1817,7 +1817,7 @@
 FT_Face SkTypeface_FreeType::Scanner::openFace(SkStreamAsset* stream, int ttcIndex,
                                                FT_Stream ftStream) const
 {
-    if (fLibrary == nullptr) {
+    if (fLibrary == nullptr || stream == nullptr) {
         return nullptr;
     }
 

diff --git a/src/ports/SkFontMgr_custom_embedded.cpp b/src/ports/SkFontMgr_custom_embedded.cpp
index 924dc5a..a9b0f81 100644
--- a/src/ports/SkFontMgr_custom_embedded.cpp
+++ b/src/ports/SkFontMgr_custom_embedded.cpp

@@ -100,7 +100,7 @@
             addTo = new SkFontStyleSet_Custom(realname);
             families->push_back().reset(addTo);
         }
-        auto data = std::make_unique<SkFontData>(std::move(stream), faceIndex, nullptr, 0);
+        auto data = std::make_unique<SkFontData>(stream->duplicate(), faceIndex, nullptr, 0);
         addTo->appendTypeface(sk_make_sp<SkTypeface_Stream>(std::move(data),
                                                             style, isFixedPitch,
                                                             true, realname));