Fix UAF in SaveData on all of CFFL_* types.

Bug: 756427 Change-Id: I8e31d96c6f3b83a6464ed69c95225362c50386d1 Reviewed-on: https://pdfium-review.googlesource.com/15870 Commit-Queue: Tom Sepez <tsepez@chromium.org> Reviewed-by: Tom Sepez <tsepez@chromium.org>
author: Luật Nguyễn <manhluat93.php@gmail.com> 2017-10-10 12:39:22 +0800
committer: Chromium commit bot <commit-bot@chromium.org> 2017-10-10 20:12:46 +0000
commit: 1886471c3432dee4d9a9be5678a757dde8717652 (patch)
tree: 437dd29735be2351e475819798e40edddf41b50b
parent: dd002931a16a99b0c6e6ae7b6cba9d4dafb27e18 (diff)
download: pdfium-1886471c3432dee4d9a9be5678a757dde8717652.tar.xz
7 files changed, 43 insertions, 9 deletions
diff --git a/AUTHORS b/AUTHORS
index 0c84bf9ef5..ffd889e38a 100644
--- a/AUTHORS
+++ b/AUTHORS
@@ -27,13 +27,14 @@ Ke Liu <stackexploit@gmail.com>
 Kostya Serebryany <kcc@chromium.org>
 Lei Zhang <thestig@chromium.org>
 Lucas Nihlen <luken@chromium.org>
+Luật Nguyễn <manhluat93.php@gmail.com>
 Matt Giuca <mgiuca@chromium.org>
 Michael Doppler <m.doppler@gmail.com>
 Miklos Vajna <vmiklos@vmiklos.hu>
 Nico Weber <thakis@chromium.org>
 Peter Kasting <pkasting@chromium.org>
 Raymes Khoury <raymes@chromium.org>
-Reid Kleckner <rnk@chromium.org>
+Reid Kleckner <rnk@chromium.org>
 Ryan Wiley <wileyrr@gmail.com>
 Robert Sesek <rsesek@chromium.org>
 Sam Clegg <sbc@chromium.org>
diff --git a/fpdfsdk/formfiller/cffl_checkbox.cpp b/fpdfsdk/formfiller/cffl_checkbox.cpp
index 2863a56001..e9c72efd39 100644
--- a/fpdfsdk/formfiller/cffl_checkbox.cpp
+++ b/fpdfsdk/formfiller/cffl_checkbox.cpp
@@ -111,9 +111,15 @@ void CFFL_CheckBox::SaveData(CPDFSDK_PageView* pPageView) {
       }
     }
   }
+  CPDFSDK_Widget::ObservedPtr observed_widget(m_pWidget.Get());
+  CFFL_CheckBox::ObservedPtr observed_this(this);
 
   m_pWidget->SetCheck(bNewChecked, false);
+  if (!observed_widget)
+    return;
   m_pWidget->UpdateField();
+  if (!observed_widget || !observed_this)
+    return;
   SetChangeMark();
 }
 
diff --git a/fpdfsdk/formfiller/cffl_combobox.cpp b/fpdfsdk/formfiller/cffl_combobox.cpp
index ab34a650c5..d9b12f5d3c 100644
--- a/fpdfsdk/formfiller/cffl_combobox.cpp
+++ b/fpdfsdk/formfiller/cffl_combobox.cpp
@@ -108,11 +108,16 @@ void CFFL_ComboBox::SaveData(CPDFSDK_PageView* pPageView) {
     m_pWidget->GetSelectedIndex(0);
     m_pWidget->SetOptionSelection(nCurSel, true, false);
   }
+  CPDFSDK_Widget::ObservedPtr observed_widget(m_pWidget.Get());
+  CFFL_ComboBox::ObservedPtr observed_this(this);
 
   m_pWidget->ResetFieldAppearance(true);
+  if (!observed_widget)
+    return;
   m_pWidget->UpdateField();
+  if (!observed_widget || !observed_this)
+    return;
   SetChangeMark();
-
   m_pWidget->GetPDFPage();
 }
 
diff --git a/fpdfsdk/formfiller/cffl_formfiller.cpp b/fpdfsdk/formfiller/cffl_formfiller.cpp
index 1ed7ffa420..8f48c029da 100644
--- a/fpdfsdk/formfiller/cffl_formfiller.cpp
+++ b/fpdfsdk/formfiller/cffl_formfiller.cpp
@@ -491,7 +491,10 @@ bool CFFL_FormFiller::CommitData(CPDFSDK_PageView* pPageView, uint32_t nFlag) {
   if (!pObserved)
     return false;
 
-  SaveData(pPageView);
+  SaveData(pPageView); // may invoking JS to delete this widget.
+  if (!pObserved)
+    return false;
+
   pFormFiller->OnCalculate(&pObserved, pPageView, nFlag);
   if (!pObserved)
     return false;
diff --git a/fpdfsdk/formfiller/cffl_listbox.cpp b/fpdfsdk/formfiller/cffl_listbox.cpp
index 9dad11d3a0..e628e59cb8 100644
--- a/fpdfsdk/formfiller/cffl_listbox.cpp
+++ b/fpdfsdk/formfiller/cffl_listbox.cpp
@@ -117,9 +117,18 @@ void CFFL_ListBox::SaveData(CPDFSDK_PageView* pPageView) {
   } else {
     m_pWidget->SetOptionSelection(pListBox->GetCurSel(), true, false);
   }
+  CPDFSDK_Widget::ObservedPtr observed_widget(m_pWidget.Get());
+  CFFL_ListBox::ObservedPtr observed_this(this);
+
   m_pWidget->SetTopVisibleIndex(nNewTopIndex);
+  if (!observed_widget)
+    return;
   m_pWidget->ResetFieldAppearance(true);
+  if (!observed_widget)
+    return;
   m_pWidget->UpdateField();
+  if (!observed_widget || !observed_this)
+    return;
   SetChangeMark();
 }
 
diff --git a/fpdfsdk/formfiller/cffl_radiobutton.cpp b/fpdfsdk/formfiller/cffl_radiobutton.cpp
index f8ada67ff3..73ac44de46 100644
--- a/fpdfsdk/formfiller/cffl_radiobutton.cpp
+++ b/fpdfsdk/formfiller/cffl_radiobutton.cpp
@@ -102,9 +102,15 @@ void CFFL_RadioButton::SaveData(CPDFSDK_PageView* pPageView) {
       }
     }
   }
+  CPDFSDK_Widget::ObservedPtr observed_widget(m_pWidget.Get());
+  CFFL_RadioButton::ObservedPtr observed_this(this);
 
   m_pWidget->SetCheck(bNewChecked, false);
+  if (!observed_widget)
+    return;
   m_pWidget->UpdateField();
+  if (!observed_widget || !observed_this)
+    return;
   SetChangeMark();
 }
 
diff --git a/fpdfsdk/formfiller/cffl_textfield.cpp b/fpdfsdk/formfiller/cffl_textfield.cpp
index 4174ae4179..ad8d27c916 100644
--- a/fpdfsdk/formfiller/cffl_textfield.cpp
+++ b/fpdfsdk/formfiller/cffl_textfield.cpp
@@ -141,13 +141,17 @@ void CFFL_TextField::SaveData(CPDFSDK_PageView* pPageView) {
 
   CPDFSDK_Widget::ObservedPtr observed_widget(m_pWidget.Get());
   CFFL_TextField::ObservedPtr observed_this(this);
+
   m_pWidget->SetValue(sNewValue, false);
-  if (observed_widget)
-    m_pWidget->ResetFieldAppearance(true);
-  if (observed_widget)
-    m_pWidget->UpdateField();
-  if (observed_this)
-    SetChangeMark();
+  if (!observed_widget)
+    return;
+  m_pWidget->ResetFieldAppearance(true);
+  if (!observed_widget)
+    return;
+  m_pWidget->UpdateField();
+  if (!observed_widget || !observed_this)
+    return;
+  SetChangeMark();
 }
 
 void CFFL_TextField::GetActionData(CPDFSDK_PageView* pPageView,
author	Luật Nguyễn <manhluat93.php@gmail.com>	2017-10-10 12:39:22 +0800
committer	Chromium commit bot <commit-bot@chromium.org>	2017-10-10 20:12:46 +0000
commit	1886471c3432dee4d9a9be5678a757dde8717652 (patch)
tree	437dd29735be2351e475819798e40edddf41b50b
parent	dd002931a16a99b0c6e6ae7b6cba9d4dafb27e18 (diff)
download	pdfium-1886471c3432dee4d9a9be5678a757dde8717652.tar.xz