diff options
author | Oliver Chang <ochang@chromium.org> | 2016-01-13 18:32:12 -0800 |
---|---|---|
committer | Oliver Chang <ochang@chromium.org> | 2016-01-13 18:32:12 -0800 |
commit | cae57daaa0f7ed4c92e22c4e7ef30392393d1128 (patch) | |
tree | ea52784c8837d807145e7c6c985dc559b69c9348 | |
parent | 5d1070dc642800242ec2e9d9d74aa1e5715d2b62 (diff) | |
download | pdfium-cae57daaa0f7ed4c92e22c4e7ef30392393d1128.tar.xz |
Fix some iterator invalidation issues while traversing CPDF_Dictionary.
Also fixes a potential issue in CPDF_Dictionary::ReplaceKey.
R=thestig@chromium.org
BUG=577030
Review URL: https://codereview.chromium.org/1582963003 .
-rw-r--r-- | core/include/fpdfapi/fpdf_objects.h | 3 | ||||
-rw-r--r-- | core/src/fpdfapi/fpdf_parser/fpdf_parser_objects.cpp | 3 | ||||
-rw-r--r-- | core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp | 8 | ||||
-rw-r--r-- | fpdfsdk/src/fpdfppo.cpp | 8 |
4 files changed, 16 insertions, 6 deletions
diff --git a/core/include/fpdfapi/fpdf_objects.h b/core/include/fpdfapi/fpdf_objects.h index 80d978ecd9..92ce0b922f 100644 --- a/core/include/fpdfapi/fpdf_objects.h +++ b/core/include/fpdfapi/fpdf_objects.h @@ -385,6 +385,7 @@ class CPDF_Dictionary : public CPDF_Object { FX_BOOL KeyExist(const CFX_ByteStringC& key) const; + // Set* functions invalidate iterators for the element with the key |key|. void SetAt(const CFX_ByteStringC& key, CPDF_Object* pObj); void SetAtName(const CFX_ByteStringC& key, const CFX_ByteString& name); @@ -415,8 +416,10 @@ class CPDF_Dictionary : public CPDF_Object { void SetAtBoolean(const CFX_ByteStringC& key, FX_BOOL bValue); + // Invalidates iterators for the element with the key |key|. void RemoveAt(const CFX_ByteStringC& key); + // Invalidates iterators for the element with the key |oldkey|. void ReplaceKey(const CFX_ByteStringC& oldkey, const CFX_ByteStringC& newkey); FX_BOOL Identical(CPDF_Dictionary* pDict) const; diff --git a/core/src/fpdfapi/fpdf_parser/fpdf_parser_objects.cpp b/core/src/fpdfapi/fpdf_parser/fpdf_parser_objects.cpp index e0ce3faadf..cad8d7701d 100644 --- a/core/src/fpdfapi/fpdf_parser/fpdf_parser_objects.cpp +++ b/core/src/fpdfapi/fpdf_parser/fpdf_parser_objects.cpp @@ -734,6 +734,9 @@ void CPDF_Dictionary::ReplaceKey(const CFX_ByteStringC& oldkey, // Avoid 2 constructions of CFX_ByteString. CFX_ByteString newkey_bytestring = newkey; auto new_it = m_Map.find(newkey_bytestring); + if (new_it == old_it) + return; + if (new_it != m_Map.end()) { new_it->second->Release(); new_it->second = old_it->second; diff --git a/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp b/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp index 73da3619bb..6f0fc76fc0 100644 --- a/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp +++ b/core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp @@ -885,9 +885,11 @@ FX_BOOL CPDF_Parser::RebuildCrossRef() { if (!pRoot || (pRef && IsValidObjectNumber(pRef->GetRefObjNum()) && m_ObjectInfo[pRef->GetRefObjNum()].pos != 0)) { - for (const auto& it : *pTrailer) { - const CFX_ByteString& key = it.first; - CPDF_Object* pElement = it.second; + auto it = pTrailer->begin(); + while (it != pTrailer->end()) { + const CFX_ByteString& key = it->first; + CPDF_Object* pElement = it->second; + ++it; FX_DWORD dwObjNum = pElement ? pElement->GetObjNum() : 0; if (dwObjNum) { diff --git a/fpdfsdk/src/fpdfppo.cpp b/fpdfsdk/src/fpdfppo.cpp index dac548131e..47b91015a9 100644 --- a/fpdfsdk/src/fpdfppo.cpp +++ b/fpdfsdk/src/fpdfppo.cpp @@ -213,9 +213,11 @@ FX_BOOL CPDF_PageOrganizer::UpdateReference(CPDF_Object* pObj, } case PDFOBJ_DICTIONARY: { CPDF_Dictionary* pDict = pObj->AsDictionary(); - for (const auto& it : *pDict) { - const CFX_ByteString& key = it.first; - CPDF_Object* pNextObj = it.second; + auto it = pDict->begin(); + while (it != pDict->end()) { + const CFX_ByteString& key = it->first; + CPDF_Object* pNextObj = it->second; + ++it; if (!FXSYS_strcmp(key, "Parent") || !FXSYS_strcmp(key, "Prev") || !FXSYS_strcmp(key, "First")) { continue; |