fonts: Fix memory allocation for fallback glyphs.

When allocating the mask for a fallback glyph, we allocate it on the
arena on the SkScalerContext while the image belongs to a glyph on a
different cache. This can lead to use-after-free bugs if accessing the
image after the context owning that memory is destroyed. Fix this by
allocating on the arena from the owning cache.

R=herb@google.com, mtklein@google.com

Bug: 829622
Change-Id: Ife53e24f5bc868f36c43f2adcd7a2629ab5577fe
Reviewed-on: https://skia-review.googlesource.com/134182
Commit-Queue: Mike Klein <mtklein@google.com>
Reviewed-by: Mike Klein <mtklein@google.com>

1 files changed, 6 insertions, 3 deletions

diff --git a/src/core/SkStrikeCache.h b/src/core/SkStrikeCache.h
index da984cce13..05e3aa4025 100644
--- a/src/core/SkStrikeCache.h
+++ b/src/core/SkStrikeCache.h
@@ -70,8 +70,9 @@ public:
 
     static ExclusiveStrikePtr FindStrikeExclusive(const SkDescriptor&);
 
-    static bool DesperationSearchForImage(
-            const SkDescriptor& desc, SkGlyph* glyph, SkArenaAlloc* arena);
+    static bool DesperationSearchForImage(const SkDescriptor& desc,
+                                          SkGlyph* glyph,
+                                          SkGlyphCache* targetCache);
 
     static bool DesperationSearchForPath(
             const SkDescriptor& desc, SkGlyphID glyphID, SkPath* path);
@@ -112,7 +113,9 @@ public:
 
     // Routines to find suitable data when working in a remote cache situation. These are
     // suitable as substitutes for similar calls in SkScalerContext.
-    bool desperationSearchForImage(const SkDescriptor& desc, SkGlyph* glyph, SkArenaAlloc* alloc);
+    bool desperationSearchForImage(const SkDescriptor& desc,
+                                   SkGlyph* glyph,
+                                   SkGlyphCache* targetCache);
     bool desperationSearchForPath(const SkDescriptor& desc, SkGlyphID glyphID, SkPath* path);
 
     void purgeAll(); // does not change budget