Add more checks for destroyed annotations in CFFL_FormFiller.

CFFL_FormFiller::CommitData() should check more rigorously and so should its callers. BUG=chromium:732051 Change-Id: If0cee8fb61de10dc7678dad89c330d75bee55aa4 Reviewed-on: https://pdfium-review.googlesource.com/6530 Commit-Queue: dsinclair <dsinclair@chromium.org> Reviewed-by: dsinclair <dsinclair@chromium.org>
author: Lei Zhang <thestig@chromium.org> 2017-06-13 14:04:02 -0700
committer: Chromium commit bot <commit-bot@chromium.org> 2017-06-15 18:28:02 +0000
commit: 6a3fc45b9e238d9b7b601cb13be664391d393b42 (patch)
tree: 69182b8517f5ecea3ebe24f46fa72b43d70a7f26
parent: 65a55343e623924c9c3bbbd953097cf7fd0f5fc6 (diff)
download: pdfium-6a3fc45b9e238d9b7b601cb13be664391d393b42.tar.xz
4 files changed, 23 insertions, 11 deletions
diff --git a/fpdfsdk/formfiller/cffl_checkbox.cpp b/fpdfsdk/formfiller/cffl_checkbox.cpp
index d8227d8760..a81458e92d 100644
--- a/fpdfsdk/formfiller/cffl_checkbox.cpp
+++ b/fpdfsdk/formfiller/cffl_checkbox.cpp
@@ -61,8 +61,7 @@ bool CFFL_CheckBox::OnChar(CPDFSDK_Annot* pAnnot,
       if (CPWL_CheckBox* pWnd = (CPWL_CheckBox*)GetPDFWindow(pPageView, true))
         pWnd->SetCheck(!pWnd->IsChecked());
 
-      CommitData(pPageView, nFlags);
-      return true;
+      return CommitData(pPageView, nFlags);
     }
     default:
       return CFFL_FormFiller::OnChar(pAnnot, nChar, nFlags);
@@ -81,8 +80,7 @@ bool CFFL_CheckBox::OnLButtonUp(CPDFSDK_PageView* pPageView,
       pWnd->SetCheck(!pWidget->IsChecked());
     }
 
-    if (!CommitData(pPageView, nFlags))
-      return false;
+    return CommitData(pPageView, nFlags);
   }
 
   return true;
diff --git a/fpdfsdk/formfiller/cffl_formfiller.cpp b/fpdfsdk/formfiller/cffl_formfiller.cpp
index 98a14e61af..cd531413c2 100644
--- a/fpdfsdk/formfiller/cffl_formfiller.cpp
+++ b/fpdfsdk/formfiller/cffl_formfiller.cpp
@@ -258,7 +258,8 @@ void CFFL_FormFiller::KillFocusForAnnot(CPDFSDK_Annot* pAnnot, uint32_t nFlag) {
   if (!pPageView)
     return;
 
-  CommitData(pPageView, nFlag);
+  if (!CommitData(pPageView, nFlag))
+    return;
 
   if (CPWL_Wnd* pWnd = GetPDFWindow(pPageView, false))
     pWnd->KillFocus();
@@ -493,25 +494,37 @@ bool CFFL_FormFiller::CommitData(CPDFSDK_PageView* pPageView, uint32_t nFlag) {
         m_pFormFillEnv->GetInteractiveFormFiller();
     CPDFSDK_Annot::ObservedPtr pObserved(m_pWidget.Get());
     pFormFiller->OnKeyStrokeCommit(&pObserved, pPageView, bRC, bExit, nFlag);
-    if (!pObserved || bExit)
+    if (!pObserved)
+      return false;
+    if (bExit)
       return true;
     if (!bRC) {
       ResetPDFWindow(pPageView, false);
       return true;
     }
+
     pFormFiller->OnValidate(&pObserved, pPageView, bRC, bExit, nFlag);
-    if (!pObserved || bExit)
+    if (!pObserved)
+      return false;
+    if (bExit)
       return true;
     if (!bRC) {
       ResetPDFWindow(pPageView, false);
       return true;
     }
+
     SaveData(pPageView);
     pFormFiller->OnCalculate(m_pWidget.Get(), pPageView, bExit, nFlag);
+    if (!pObserved)
+      return false;
     if (bExit)
       return true;
 
     pFormFiller->OnFormat(m_pWidget.Get(), pPageView, bExit, nFlag);
+    if (!pObserved)
+      return false;
+    if (bExit)
+      return true;
   }
   return true;
 }
diff --git a/fpdfsdk/formfiller/cffl_interactiveformfiller.cpp b/fpdfsdk/formfiller/cffl_interactiveformfiller.cpp
index f36afa65d5..935e3fffb6 100644
--- a/fpdfsdk/formfiller/cffl_interactiveformfiller.cpp
+++ b/fpdfsdk/formfiller/cffl_interactiveformfiller.cpp
@@ -425,6 +425,9 @@ bool CFFL_InteractiveFormFiller::OnKillFocus(CPDFSDK_Annot::ObservedPtr* pAnnot,
   ASSERT((*pAnnot)->GetPDFAnnot()->GetSubtype() == CPDF_Annot::Subtype::WIDGET);
   if (CFFL_FormFiller* pFormFiller = GetFormFiller(pAnnot->Get(), false)) {
     pFormFiller->KillFocusForAnnot(pAnnot->Get(), nFlag);
+    if (!(*pAnnot))
+      return false;
+
     if (!m_bNotifying) {
       CPDFSDK_Widget* pWidget = static_cast<CPDFSDK_Widget*>(pAnnot->Get());
       if (pWidget->GetAAction(CPDF_AAction::LoseFocus).GetDict()) {
diff --git a/fpdfsdk/formfiller/cffl_radiobutton.cpp b/fpdfsdk/formfiller/cffl_radiobutton.cpp
index e5a5a98b9a..c6ce432d0c 100644
--- a/fpdfsdk/formfiller/cffl_radiobutton.cpp
+++ b/fpdfsdk/formfiller/cffl_radiobutton.cpp
@@ -60,8 +60,7 @@ bool CFFL_RadioButton::OnChar(CPDFSDK_Annot* pAnnot,
       if (CPWL_RadioButton* pWnd =
               (CPWL_RadioButton*)GetPDFWindow(pPageView, true))
         pWnd->SetCheck(true);
-      CommitData(pPageView, nFlags);
-      return true;
+      return CommitData(pPageView, nFlags);
     }
     default:
       return CFFL_FormFiller::OnChar(pAnnot, nChar, nFlags);
@@ -79,8 +78,7 @@ bool CFFL_RadioButton::OnLButtonUp(CPDFSDK_PageView* pPageView,
             (CPWL_RadioButton*)GetPDFWindow(pPageView, true))
       pWnd->SetCheck(true);
 
-    if (!CommitData(pPageView, nFlags))
-      return false;
+    return CommitData(pPageView, nFlags);
   }
 
   return true;
author	Lei Zhang <thestig@chromium.org>	2017-06-13 14:04:02 -0700
committer	Chromium commit bot <commit-bot@chromium.org>	2017-06-15 18:28:02 +0000
commit	6a3fc45b9e238d9b7b601cb13be664391d393b42 (patch)
tree	69182b8517f5ecea3ebe24f46fa72b43d70a7f26
parent	65a55343e623924c9c3bbbd953097cf7fd0f5fc6 (diff)
download	pdfium-6a3fc45b9e238d9b7b601cb13be664391d393b42.tar.xz