fonts: Fix memory allocation for fallback glyphs.

When allocating the mask for a fallback glyph, we allocate it on the
arena on the SkScalerContext while the image belongs to a glyph on a
different cache. This can lead to use-after-free bugs if accessing the
image after the context owning that memory is destroyed. Fix this by
allocating on the arena from the owning cache.

R=herb@google.com, mtklein@google.com

Bug: 829622
Change-Id: Ife53e24f5bc868f36c43f2adcd7a2629ab5577fe
Reviewed-on: https://skia-review.googlesource.com/134182
Commit-Queue: Mike Klein <mtklein@google.com>
Reviewed-by: Mike Klein <mtklein@google.com>

1 files changed, 1 insertions, 0 deletions

diff --git a/src/core/SkRemoteGlyphCache.cpp b/src/core/SkRemoteGlyphCache.cpp
index 49688886c1..0ccbf2f15e 100644
--- a/src/core/SkRemoteGlyphCache.cpp
+++ b/src/core/SkRemoteGlyphCache.cpp
@@ -801,6 +801,7 @@ bool SkStrikeClient::readStrikeData(const volatile void* memory, size_t memorySi
                     *client_desc, std::move(scaler), &fontMetrics,
                     skstd::make_unique<DiscardableStrikePinner>(spec.discardableHandleId,
                                                                 fDiscardableHandleManager));
+            static_cast<SkScalerContextProxy*>(strike->getScalerContext())->initCache(strike.get());
         }
 
         size_t glyphImagesCount = 0u;