diff options
| author | Henrique Nakashima <hnakashima@chromium.org> | 2017-10-04 11:08:45 -0400 |
|---|---|---|
| committer | Chromium commit bot <commit-bot@chromium.org> | 2017-10-04 16:02:44 +0000 |
| commit | 55469aed5acffcce3259d37418ba9e8b8e60d801 (patch) | |
| tree | fbee70533185e962adebb082dfa587e80c325873 /fpdfsdk/pwl/cpwl_edit_ctrl.cpp | |
| parent | a5fc8975c865dc3cc90de8ff46ca13fb46c13391 (diff) | |
| download | pdfium-55469aed5acffcce3259d37418ba9e8b8e60d801.tar.xz | |
Fix UAF in SetVisible().
SetVisible() may be called during Destroy() which may be called
during SetVisible().
This fixes the latest in a family of bugs that happen after an
instance is freed by code triggered by JS code while it's executing
a method.
The CL has a lot of protection for many of these points where JS
may be executed and potentially destroy objects. The return types
of many methods that may execute JS have been changed to bool,
indicating whether the instance is still alive after the call.
Bug: chromium:770148
Change-Id: If5a9db4d8d6aac10f4dd6b645922bb96c116684d
Reviewed-on: https://pdfium-review.googlesource.com/15190
Reviewed-by: dsinclair <dsinclair@chromium.org>
Commit-Queue: Henrique Nakashima <hnakashima@chromium.org>
Diffstat (limited to 'fpdfsdk/pwl/cpwl_edit_ctrl.cpp')
| -rw-r--r-- | fpdfsdk/pwl/cpwl_edit_ctrl.cpp | 27 |
1 files changed, 18 insertions, 9 deletions
diff --git a/fpdfsdk/pwl/cpwl_edit_ctrl.cpp b/fpdfsdk/pwl/cpwl_edit_ctrl.cpp index f0fc408771..2fe6e28c59 100644 --- a/fpdfsdk/pwl/cpwl_edit_ctrl.cpp +++ b/fpdfsdk/pwl/cpwl_edit_ctrl.cpp @@ -67,8 +67,9 @@ void CPWL_EditCtrl::ReplaceSelection(const WideString& text) { m_pEdit->InsertText(text, FX_CHARSET_Default); } -void CPWL_EditCtrl::RePosChildWnd() { +bool CPWL_EditCtrl::RePosChildWnd() { m_pEdit->SetPlateRect(GetClientRect()); + return true; } void CPWL_EditCtrl::SetScrollInfo(const PWL_SCROLL_INFO& info) { @@ -264,8 +265,8 @@ bool CPWL_EditCtrl::OnLButtonDown(const CFX_PointF& point, uint32_t nFlag) { CPWL_Wnd::OnLButtonDown(point, nFlag); if (ClientHitTest(point)) { - if (m_bMouseDown) - InvalidateRect(nullptr); + if (m_bMouseDown && !InvalidateRect(nullptr)) + return true; m_bMouseDown = true; SetCapture(); @@ -307,6 +308,8 @@ void CPWL_EditCtrl::SetEditCaret(bool bVisible) { GetCaretInfo(&ptHead, &ptFoot); SetCaret(bVisible, ptHead, ptFoot); + // Note, |this| may no longer be viable at this point. If more work needs to + // be done, check the return value of SetCaret(). } void CPWL_EditCtrl::GetCaretInfo(CFX_PointF* ptHead, CFX_PointF* ptFoot) const { @@ -327,15 +330,21 @@ void CPWL_EditCtrl::GetCaretInfo(CFX_PointF* ptHead, CFX_PointF* ptFoot) const { } } -void CPWL_EditCtrl::SetCaret(bool bVisible, +bool CPWL_EditCtrl::SetCaret(bool bVisible, const CFX_PointF& ptHead, const CFX_PointF& ptFoot) { - if (m_pEditCaret) { - if (!IsFocused() || m_pEdit->IsSelected()) - bVisible = false; + if (!m_pEditCaret) + return true; - m_pEditCaret->SetCaret(bVisible, ptHead, ptFoot); - } + if (!IsFocused() || m_pEdit->IsSelected()) + bVisible = false; + + ObservedPtr thisObserved(this); + m_pEditCaret->SetCaret(bVisible, ptHead, ptFoot); + if (!thisObserved) + return false; + + return true; } WideString CPWL_EditCtrl::GetText() const { |