fonts: Fix memory allocation for fallback glyphs.

When allocating the mask for a fallback glyph, we allocate it on the
arena on the SkScalerContext while the image belongs to a glyph on a
different cache. This can lead to use-after-free bugs if accessing the
image after the context owning that memory is destroyed. Fix this by
allocating on the arena from the owning cache.

R=herb@google.com, mtklein@google.com

Bug: 829622
Change-Id: Ife53e24f5bc868f36c43f2adcd7a2629ab5577fe
Reviewed-on: https://skia-review.googlesource.com/134182
Commit-Queue: Mike Klein <mtklein@google.com>
Reviewed-by: Mike Klein <mtklein@google.com>

1 files changed, 3 insertions, 7 deletions

diff --git a/src/core/SkTypeface_remote.h b/src/core/SkTypeface_remote.h
index 1e079eff49..88628d13b4 100644
--- a/src/core/SkTypeface_remote.h
+++ b/src/core/SkTypeface_remote.h
@@ -26,6 +26,8 @@ public:
                          const SkDescriptor* desc,
                          sk_sp<SkStrikeClient::DiscardableHandleManager> manager);
 
+    void initCache(SkGlyphCache*);
+
 protected:
     unsigned generateGlyphCount() override;
     uint16_t generateCharToGlyph(SkUnichar) override;
@@ -37,14 +39,8 @@ protected:
     SkTypefaceProxy* getProxyTypeface() const;
 
 private:
-    // Copied from SkGlyphCache
-    // so we don't grow our arrays a lot
-    static constexpr size_t kMinGlyphCount = 8;
-    static constexpr size_t kMinGlyphImageSize = 16 /* height */ * 8 /* width */;
-    static constexpr size_t kMinAllocAmount = kMinGlyphImageSize * kMinGlyphCount;
-
-    SkArenaAlloc                                    fAlloc{kMinAllocAmount};
     sk_sp<SkStrikeClient::DiscardableHandleManager> fDiscardableManager;
+    SkGlyphCache* fCache = nullptr;
     typedef SkScalerContext INHERITED;
 };