diff options
author | Artem Strygin <art-snake@yandex-team.ru> | 2017-10-04 19:43:10 +0300 |
---|---|---|
committer | Chromium commit bot <commit-bot@chromium.org> | 2017-10-04 17:31:05 +0000 |
commit | adb19b0b11ab16a406d23797564fc0ec3a5da245 (patch) | |
tree | cfc6b1d4b23a4433e0dd8026750bd5914eb2b78d /core/fpdfapi/parser/cpdf_parser.h | |
parent | 3e3a78b68c31a5e7b27ef9ebd35f287603abe7fa (diff) | |
download | pdfium-adb19b0b11ab16a406d23797564fc0ec3a5da245.tar.xz |
Fix Heap-use-after-free in CPDF_SecurityHandler::~CPDF_SecurityHandler.
The CPDF_SecurityHandler contains unowned reference to "ID" array, which is owned by main trailer.
Main trailer is owned by CPDF_Parser::m_TrailerData
To fix this issue
set m_TrailerData before m_pSecurityHandler(CPDF_SecurityHandler) in CPDF_Parser members list.
Bug: chromium:771479
Change-Id: I38413ba16b1454ac775c8a07b126fa3b86714c1b
Reviewed-on: https://pdfium-review.googlesource.com/15430
Reviewed-by: dsinclair <dsinclair@chromium.org>
Commit-Queue: Art Snake <art-snake@yandex-team.ru>
Diffstat (limited to 'core/fpdfapi/parser/cpdf_parser.h')
-rw-r--r-- | core/fpdfapi/parser/cpdf_parser.h | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/core/fpdfapi/parser/cpdf_parser.h b/core/fpdfapi/parser/cpdf_parser.h index 96bd6f43a9..a58838e5fb 100644 --- a/core/fpdfapi/parser/cpdf_parser.h +++ b/core/fpdfapi/parser/cpdf_parser.h @@ -200,11 +200,13 @@ class CPDF_Parser { bool m_bHasParsed; bool m_bXRefStream; int m_FileVersion; + // m_TrailerData must be destroyed after m_pSecurityHandler due to the + // ownership of the ID array data. + std::unique_ptr<TrailerData> m_TrailerData; UnownedPtr<CPDF_Dictionary> m_pEncryptDict; FX_FILESIZE m_LastXRefOffset; std::unique_ptr<CPDF_SecurityHandler> m_pSecurityHandler; ByteString m_Password; - std::unique_ptr<TrailerData> m_TrailerData; std::unique_ptr<CPDF_LinearizedHeader> m_pLinearized; // A map of object numbers to indirect streams. |