[Merge M62] Fix UAF after destroying a widget during OnBeforeKeyStroke().

> Bug: chromium:766957 > Change-Id: I61b282059fb4fc2c8ba6dafc502f030f31dd324d > Reviewed-on: https://pdfium-review.googlesource.com/14710 > Commit-Queue: Henrique Nakashima <hnakashima@chromium.org> > Reviewed-by: Tom Sepez <tsepez@chromium.org> Change-Id: I1dae26d28dd5720b57d8696a77fe3b514646edcd Reviewed-on: https://pdfium-review.googlesource.com/14835 Commit-Queue: Henrique Nakashima <hnakashima@chromium.org> Commit-Queue: dsinclair <dsinclair@chromium.org> Reviewed-by: dsinclair <dsinclair@chromium.org>
author: Henrique Nakashima <hnakashima@chromium.org> 2017-09-26 16:44:20 -0400
committer: Chromium commit bot <commit-bot@chromium.org> 2017-09-26 21:19:43 +0000
commit: 26d87f53b5c1e7169455fdaf8e2305e3b9fcbb54 (patch)
tree: dd5fc1b4ff4b9a42e28f9cd0a14bad9aa3be9e0f
parent: 6f7bd9fdc4f4d7f21e468c47ee3e5616330541a6 (diff)
download: pdfium-26d87f53b5c1e7169455fdaf8e2305e3b9fcbb54.tar.xz
2 files changed, 17 insertions, 0 deletions
diff --git a/fpdfsdk/pwl/cpwl_edit.cpp b/fpdfsdk/pwl/cpwl_edit.cpp
index 4558e432ac..0a2aff643b 100644
--- a/fpdfsdk/pwl/cpwl_edit.cpp
+++ b/fpdfsdk/pwl/cpwl_edit.cpp
@@ -473,11 +473,17 @@ bool CPWL_Edit::OnKeyDown(uint16_t nChar, uint32_t nFlag) {
       if (nSelStart == nSelEnd)
         nSelEnd = nSelStart + 1;
 
+      CPWL_Wnd::ObservedPtr thisObserved(this);
+
       bool bRC;
       bool bExit;
       std::tie(bRC, bExit) = m_pFillerNotify->OnBeforeKeyStroke(
           GetAttachedData(), strChange, strChangeEx, nSelStart, nSelEnd, true,
           nFlag);
+
+      if (!thisObserved)
+        return false;
+
       if (!bRC)
         return false;
       if (bExit)
@@ -550,10 +556,15 @@ bool CPWL_Edit::OnChar(uint16_t nChar, uint32_t nFlag) {
           break;
       }
 
+      CPWL_Wnd::ObservedPtr thisObserved(this);
+
       CFX_WideString strChangeEx;
       std::tie(bRC, bExit) = m_pFillerNotify->OnBeforeKeyStroke(
           GetAttachedData(), swChange, strChangeEx, nSelStart, nSelEnd, true,
           nFlag);
+
+      if (!thisObserved)
+        return false;
     }
   }
 
diff --git a/fpdfsdk/pwl/cpwl_list_box.cpp b/fpdfsdk/pwl/cpwl_list_box.cpp
index a9c553ee5b..6cbf73ed16 100644
--- a/fpdfsdk/pwl/cpwl_list_box.cpp
+++ b/fpdfsdk/pwl/cpwl_list_box.cpp
@@ -260,6 +260,8 @@ bool CPWL_ListBox::OnNotifySelectionChanged(bool bKeyDown, uint32_t nFlag) {
   if (!m_pFillerNotify)
     return false;
 
+  CPWL_Wnd::ObservedPtr thisObserved(this);
+
   CFX_WideString swChange = GetText();
   CFX_WideString strChangeEx;
   int nSelStart = 0;
@@ -269,6 +271,10 @@ bool CPWL_ListBox::OnNotifySelectionChanged(bool bKeyDown, uint32_t nFlag) {
   std::tie(bRC, bExit) = m_pFillerNotify->OnBeforeKeyStroke(
       GetAttachedData(), swChange, strChangeEx, nSelStart, nSelEnd, bKeyDown,
       nFlag);
+
+  if (!thisObserved)
+    return false;
+
   return bExit;
 }
author	Henrique Nakashima <hnakashima@chromium.org>	2017-09-26 16:44:20 -0400
committer	Chromium commit bot <commit-bot@chromium.org>	2017-09-26 21:19:43 +0000
commit	26d87f53b5c1e7169455fdaf8e2305e3b9fcbb54 (patch)
tree	dd5fc1b4ff4b9a42e28f9cd0a14bad9aa3be9e0f
parent	6f7bd9fdc4f4d7f21e468c47ee3e5616330541a6 (diff)
download	pdfium-26d87f53b5c1e7169455fdaf8e2305e3b9fcbb54.tar.xz