summaryrefslogtreecommitdiff
path: root/core/fpdfapi
diff options
context:
space:
mode:
authorArtem Strygin <art-snake@yandex-team.ru>2017-10-04 19:43:10 +0300
committerChromium commit bot <commit-bot@chromium.org>2017-10-04 17:31:05 +0000
commitadb19b0b11ab16a406d23797564fc0ec3a5da245 (patch)
treecfc6b1d4b23a4433e0dd8026750bd5914eb2b78d /core/fpdfapi
parent3e3a78b68c31a5e7b27ef9ebd35f287603abe7fa (diff)
downloadpdfium-adb19b0b11ab16a406d23797564fc0ec3a5da245.tar.xz
Fix Heap-use-after-free in CPDF_SecurityHandler::~CPDF_SecurityHandler.
The CPDF_SecurityHandler contains unowned reference to "ID" array, which is owned by main trailer. Main trailer is owned by CPDF_Parser::m_TrailerData To fix this issue set m_TrailerData before m_pSecurityHandler(CPDF_SecurityHandler) in CPDF_Parser members list. Bug: chromium:771479 Change-Id: I38413ba16b1454ac775c8a07b126fa3b86714c1b Reviewed-on: https://pdfium-review.googlesource.com/15430 Reviewed-by: dsinclair <dsinclair@chromium.org> Commit-Queue: Art Snake <art-snake@yandex-team.ru>
Diffstat (limited to 'core/fpdfapi')
-rw-r--r--core/fpdfapi/parser/cpdf_parser.cpp1
-rw-r--r--core/fpdfapi/parser/cpdf_parser.h4
2 files changed, 3 insertions, 2 deletions
diff --git a/core/fpdfapi/parser/cpdf_parser.cpp b/core/fpdfapi/parser/cpdf_parser.cpp
index b6231a7a6a..6957c84071 100644
--- a/core/fpdfapi/parser/cpdf_parser.cpp
+++ b/core/fpdfapi/parser/cpdf_parser.cpp
@@ -101,7 +101,6 @@ CPDF_Parser::CPDF_Parser()
m_bHasParsed(false),
m_bXRefStream(false),
m_FileVersion(0),
- m_pEncryptDict(nullptr),
m_TrailerData(pdfium::MakeUnique<TrailerData>()) {}
CPDF_Parser::~CPDF_Parser() {
diff --git a/core/fpdfapi/parser/cpdf_parser.h b/core/fpdfapi/parser/cpdf_parser.h
index 96bd6f43a9..a58838e5fb 100644
--- a/core/fpdfapi/parser/cpdf_parser.h
+++ b/core/fpdfapi/parser/cpdf_parser.h
@@ -200,11 +200,13 @@ class CPDF_Parser {
bool m_bHasParsed;
bool m_bXRefStream;
int m_FileVersion;
+ // m_TrailerData must be destroyed after m_pSecurityHandler due to the
+ // ownership of the ID array data.
+ std::unique_ptr<TrailerData> m_TrailerData;
UnownedPtr<CPDF_Dictionary> m_pEncryptDict;
FX_FILESIZE m_LastXRefOffset;
std::unique_ptr<CPDF_SecurityHandler> m_pSecurityHandler;
ByteString m_Password;
- std::unique_ptr<TrailerData> m_TrailerData;
std::unique_ptr<CPDF_LinearizedHeader> m_pLinearized;
// A map of object numbers to indirect streams.