summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorOliver Chang <ochang@chromium.org>2016-01-13 18:32:12 -0800
committerOliver Chang <ochang@chromium.org>2016-01-13 18:32:12 -0800
commitcae57daaa0f7ed4c92e22c4e7ef30392393d1128 (patch)
treeea52784c8837d807145e7c6c985dc559b69c9348
parent5d1070dc642800242ec2e9d9d74aa1e5715d2b62 (diff)
downloadpdfium-cae57daaa0f7ed4c92e22c4e7ef30392393d1128.tar.xz
Fix some iterator invalidation issues while traversing CPDF_Dictionary.
Also fixes a potential issue in CPDF_Dictionary::ReplaceKey. R=thestig@chromium.org BUG=577030 Review URL: https://codereview.chromium.org/1582963003 .
-rw-r--r--core/include/fpdfapi/fpdf_objects.h3
-rw-r--r--core/src/fpdfapi/fpdf_parser/fpdf_parser_objects.cpp3
-rw-r--r--core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp8
-rw-r--r--fpdfsdk/src/fpdfppo.cpp8
4 files changed, 16 insertions, 6 deletions
diff --git a/core/include/fpdfapi/fpdf_objects.h b/core/include/fpdfapi/fpdf_objects.h
index 80d978ecd9..92ce0b922f 100644
--- a/core/include/fpdfapi/fpdf_objects.h
+++ b/core/include/fpdfapi/fpdf_objects.h
@@ -385,6 +385,7 @@ class CPDF_Dictionary : public CPDF_Object {
FX_BOOL KeyExist(const CFX_ByteStringC& key) const;
+ // Set* functions invalidate iterators for the element with the key |key|.
void SetAt(const CFX_ByteStringC& key, CPDF_Object* pObj);
void SetAtName(const CFX_ByteStringC& key, const CFX_ByteString& name);
@@ -415,8 +416,10 @@ class CPDF_Dictionary : public CPDF_Object {
void SetAtBoolean(const CFX_ByteStringC& key, FX_BOOL bValue);
+ // Invalidates iterators for the element with the key |key|.
void RemoveAt(const CFX_ByteStringC& key);
+ // Invalidates iterators for the element with the key |oldkey|.
void ReplaceKey(const CFX_ByteStringC& oldkey, const CFX_ByteStringC& newkey);
FX_BOOL Identical(CPDF_Dictionary* pDict) const;
diff --git a/core/src/fpdfapi/fpdf_parser/fpdf_parser_objects.cpp b/core/src/fpdfapi/fpdf_parser/fpdf_parser_objects.cpp
index e0ce3faadf..cad8d7701d 100644
--- a/core/src/fpdfapi/fpdf_parser/fpdf_parser_objects.cpp
+++ b/core/src/fpdfapi/fpdf_parser/fpdf_parser_objects.cpp
@@ -734,6 +734,9 @@ void CPDF_Dictionary::ReplaceKey(const CFX_ByteStringC& oldkey,
// Avoid 2 constructions of CFX_ByteString.
CFX_ByteString newkey_bytestring = newkey;
auto new_it = m_Map.find(newkey_bytestring);
+ if (new_it == old_it)
+ return;
+
if (new_it != m_Map.end()) {
new_it->second->Release();
new_it->second = old_it->second;
diff --git a/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp b/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp
index 73da3619bb..6f0fc76fc0 100644
--- a/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp
+++ b/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp
@@ -885,9 +885,11 @@ FX_BOOL CPDF_Parser::RebuildCrossRef() {
if (!pRoot ||
(pRef && IsValidObjectNumber(pRef->GetRefObjNum()) &&
m_ObjectInfo[pRef->GetRefObjNum()].pos != 0)) {
- for (const auto& it : *pTrailer) {
- const CFX_ByteString& key = it.first;
- CPDF_Object* pElement = it.second;
+ auto it = pTrailer->begin();
+ while (it != pTrailer->end()) {
+ const CFX_ByteString& key = it->first;
+ CPDF_Object* pElement = it->second;
+ ++it;
FX_DWORD dwObjNum =
pElement ? pElement->GetObjNum() : 0;
if (dwObjNum) {
diff --git a/fpdfsdk/src/fpdfppo.cpp b/fpdfsdk/src/fpdfppo.cpp
index dac548131e..47b91015a9 100644
--- a/fpdfsdk/src/fpdfppo.cpp
+++ b/fpdfsdk/src/fpdfppo.cpp
@@ -213,9 +213,11 @@ FX_BOOL CPDF_PageOrganizer::UpdateReference(CPDF_Object* pObj,
}
case PDFOBJ_DICTIONARY: {
CPDF_Dictionary* pDict = pObj->AsDictionary();
- for (const auto& it : *pDict) {
- const CFX_ByteString& key = it.first;
- CPDF_Object* pNextObj = it.second;
+ auto it = pDict->begin();
+ while (it != pDict->end()) {
+ const CFX_ByteString& key = it->first;
+ CPDF_Object* pNextObj = it->second;
+ ++it;
if (!FXSYS_strcmp(key, "Parent") || !FXSYS_strcmp(key, "Prev") ||
!FXSYS_strcmp(key, "First")) {
continue;