diff options
| author | jinming_wang <jinming_wang@foxitsoftware.com> | 2016-04-20 08:37:21 +0800 |
|---|---|---|
| committer | jinming_wang <jinming_wang@foxitsoftware.com> | 2016-04-20 08:37:21 +0800 |
| commit | b02012d565e2596c79c41c6fbf7f2ed88c4bbc51 (patch) | |
| tree | b29d752e71c3b75835c93ae72622687989d82061 | |
| parent | b67e566ed29b7115ceaca18aad046f1784435730 (diff) | |
| download | pdfium-b02012d565e2596c79c41c6fbf7f2ed88c4bbc51.tar.xz | |
fix issue of Heap Use-After-Free in CXFA_LayoutItem::AddChild
BUG=chromium:590711
R=tsepez@chromium.org
Review URL: https://codereview.chromium.org/1901013002 .
| -rw-r--r-- | xfa/fxfa/parser/xfa_layout_itemlayout.cpp | 42 |
1 files changed, 22 insertions, 20 deletions
diff --git a/xfa/fxfa/parser/xfa_layout_itemlayout.cpp b/xfa/fxfa/parser/xfa_layout_itemlayout.cpp index 1d3e31e276..b5d3bff885 100644 --- a/xfa/fxfa/parser/xfa_layout_itemlayout.cpp +++ b/xfa/fxfa/parser/xfa_layout_itemlayout.cpp @@ -545,27 +545,29 @@ void CXFA_LayoutItem::RemoveChild(CXFA_LayoutItem* pChildItem) { CXFA_ContentLayoutItem* CXFA_ItemLayoutProcessor::ExtractLayoutItem() { CXFA_ContentLayoutItem* pLayoutItem = m_pLayoutItem; if (pLayoutItem) { - m_pLayoutItem = (CXFA_ContentLayoutItem*)pLayoutItem->m_pNextSibling; - pLayoutItem->m_pNextSibling = NULL; - } - if (m_nCurChildNodeStage == XFA_ItemLayoutProcessorStages_Done && - ToContentLayoutItem(m_pOldLayoutItem)) { - if (m_pOldLayoutItem->m_pPrev) { - m_pOldLayoutItem->m_pPrev->m_pNext = NULL; - } - CXFA_FFNotify* pNotify = - m_pOldLayoutItem->m_pFormNode->GetDocument()->GetParser()->GetNotify(); - CXFA_LayoutProcessor* pDocLayout = - m_pOldLayoutItem->m_pFormNode->GetDocument()->GetDocLayout(); - CXFA_ContentLayoutItem* pOldLayoutItem = m_pOldLayoutItem; - while (pOldLayoutItem) { - CXFA_ContentLayoutItem* pNextOldLayoutItem = pOldLayoutItem->m_pNext; - pNotify->OnLayoutItemRemoving(pDocLayout, pOldLayoutItem); - delete pOldLayoutItem; - pOldLayoutItem = pNextOldLayoutItem; - } - m_pOldLayoutItem = NULL; + m_pLayoutItem = + static_cast<CXFA_ContentLayoutItem*>(pLayoutItem->m_pNextSibling); + pLayoutItem->m_pNextSibling = nullptr; } + if (m_nCurChildNodeStage != XFA_ItemLayoutProcessorStages_Done || + !ToContentLayoutItem(m_pOldLayoutItem)) + return pLayoutItem; + if (m_pOldLayoutItem->m_pPrev) + m_pOldLayoutItem->m_pPrev->m_pNext = nullptr; + CXFA_FFNotify* pNotify = + m_pOldLayoutItem->m_pFormNode->GetDocument()->GetParser()->GetNotify(); + CXFA_LayoutProcessor* pDocLayout = + m_pOldLayoutItem->m_pFormNode->GetDocument()->GetDocLayout(); + CXFA_ContentLayoutItem* pOldLayoutItem = m_pOldLayoutItem; + while (pOldLayoutItem) { + CXFA_ContentLayoutItem* pNextOldLayoutItem = pOldLayoutItem->m_pNext; + pNotify->OnLayoutItemRemoving(pDocLayout, pOldLayoutItem); + if (pOldLayoutItem->m_pParent) + pOldLayoutItem->m_pParent->RemoveChild(pOldLayoutItem); + delete pOldLayoutItem; + pOldLayoutItem = pNextOldLayoutItem; + } + m_pOldLayoutItem = nullptr; return pLayoutItem; } static FX_BOOL XFA_ItemLayoutProcessor_FindBreakNode( |