diff options
| author | dsinclair <dsinclair@chromium.org> | 2016-08-22 13:36:02 -0700 |
|---|---|---|
| committer | Commit bot <commit-bot@chromium.org> | 2016-08-22 13:36:02 -0700 |
| commit | 28a4a2410f24910c709578d981cae3bb8153fdba (patch) | |
| tree | aa3a65e4eed59d14872a8d322f772a3b5ba6b531 | |
| parent | 236e47afa53d3f065024cc6490a49b431c108078 (diff) | |
| download | pdfium-28a4a2410f24910c709578d981cae3bb8153fdba.tar.xz | |
Destroy window before cleaning up combobox
Currently, when we destroy a CFFL_ComboBox we'll cleanup the fontmap and then
call the destructor for the parent type. This will case the PWL_Wnd to be
destroyed. In this case, the window is a PWL_Edit. On destruction it will reset
the focus which causes the text selection to change, which asks the font map
for data but we've already destroyed the font map.
This CL forces the destruction of the window earlier in order to have the
fontmap available. A followup bug is filed to correct the location of the
fontmap so we don't have this dependency.
BUG=chromium:637546
Review-Url: https://codereview.chromium.org/2266943002
| -rw-r--r-- | fpdfsdk/formfiller/cffl_combobox.cpp | 5 | ||||
| -rw-r--r-- | fpdfsdk/formfiller/cffl_formfiller.cpp | 4 | ||||
| -rw-r--r-- | fpdfsdk/formfiller/cffl_formfiller.h | 8 | ||||
| -rw-r--r-- | fpdfsdk/formfiller/cffl_textfield.cpp | 5 |
4 files changed, 22 insertions, 0 deletions
diff --git a/fpdfsdk/formfiller/cffl_combobox.cpp b/fpdfsdk/formfiller/cffl_combobox.cpp index 35591cff74..f6aef20c02 100644 --- a/fpdfsdk/formfiller/cffl_combobox.cpp +++ b/fpdfsdk/formfiller/cffl_combobox.cpp @@ -24,6 +24,11 @@ CFFL_ComboBox::CFFL_ComboBox(CPDFDoc_Environment* pApp, CPDFSDK_Annot* pAnnot) CFFL_ComboBox::~CFFL_ComboBox() { for (const auto& it : m_Maps) it.second->InvalidateFocusHandler(this); + + // See comment in cffl_formfiller.h. + // The font map should be stored somewhere more appropriate so it will live + // until the PWL_Edit is done with it. pdfium:566 + DestroyWindows(); delete m_pFontMap; } diff --git a/fpdfsdk/formfiller/cffl_formfiller.cpp b/fpdfsdk/formfiller/cffl_formfiller.cpp index f2c34647d0..92e9282a74 100644 --- a/fpdfsdk/formfiller/cffl_formfiller.cpp +++ b/fpdfsdk/formfiller/cffl_formfiller.cpp @@ -27,6 +27,10 @@ CFFL_FormFiller::CFFL_FormFiller(CPDFDoc_Environment* pApp, } CFFL_FormFiller::~CFFL_FormFiller() { + DestroyWindows(); +} + +void CFFL_FormFiller::DestroyWindows() { for (const auto& it : m_Maps) { CPWL_Wnd* pWnd = it.second; CFFL_PrivateData* pData = (CFFL_PrivateData*)pWnd->GetAttachedData(); diff --git a/fpdfsdk/formfiller/cffl_formfiller.h b/fpdfsdk/formfiller/cffl_formfiller.h index b1e323185b..060eb8f9e7 100644 --- a/fpdfsdk/formfiller/cffl_formfiller.h +++ b/fpdfsdk/formfiller/cffl_formfiller.h @@ -154,6 +154,14 @@ class CFFL_FormFiller : public IPWL_Provider, public CPWL_TimerHandler { protected: using CFFL_PageView2PDFWindow = std::map<CPDFSDK_PageView*, CPWL_Wnd*>; + // If the inheriting widget has its own fontmap and a PWL_Edit widget that + // access that fontmap then you have to call DestroyWindows before destroying + // the font map in order to not get a use-after-free. + // + // The font map should be stored somewhere more appropriate so it will live + // until the PWL_Edit is done with it. pdfium:566 + void DestroyWindows(); + CPDFDoc_Environment* m_pApp; CPDFSDK_Widget* m_pWidget; CPDFSDK_Annot* m_pAnnot; diff --git a/fpdfsdk/formfiller/cffl_textfield.cpp b/fpdfsdk/formfiller/cffl_textfield.cpp index aaa096a261..1947940094 100644 --- a/fpdfsdk/formfiller/cffl_textfield.cpp +++ b/fpdfsdk/formfiller/cffl_textfield.cpp @@ -17,6 +17,11 @@ CFFL_TextField::CFFL_TextField(CPDFDoc_Environment* pApp, CPDFSDK_Annot* pAnnot) CFFL_TextField::~CFFL_TextField() { for (const auto& it : m_Maps) it.second->InvalidateFocusHandler(this); + + // See comment in cffl_formfiller.h. + // The font map should be stored somewhere more appropriate so it will live + // until the PWL_Edit is done with it. pdfium:566 + DestroyWindows(); } PWL_CREATEPARAM CFFL_TextField::GetCreateParam() { |