diff options
author | Henrique Nakashima <hnakashima@chromium.org> | 2017-10-04 11:08:45 -0400 |
---|---|---|
committer | Chromium commit bot <commit-bot@chromium.org> | 2017-10-04 16:02:44 +0000 |
commit | 55469aed5acffcce3259d37418ba9e8b8e60d801 (patch) | |
tree | fbee70533185e962adebb082dfa587e80c325873 /fpdfsdk/pwl/cpwl_wnd.h | |
parent | a5fc8975c865dc3cc90de8ff46ca13fb46c13391 (diff) | |
download | pdfium-55469aed5acffcce3259d37418ba9e8b8e60d801.tar.xz |
Fix UAF in SetVisible().
SetVisible() may be called during Destroy() which may be called
during SetVisible().
This fixes the latest in a family of bugs that happen after an
instance is freed by code triggered by JS code while it's executing
a method.
The CL has a lot of protection for many of these points where JS
may be executed and potentially destroy objects. The return types
of many methods that may execute JS have been changed to bool,
indicating whether the instance is still alive after the call.
Bug: chromium:770148
Change-Id: If5a9db4d8d6aac10f4dd6b645922bb96c116684d
Reviewed-on: https://pdfium-review.googlesource.com/15190
Reviewed-by: dsinclair <dsinclair@chromium.org>
Commit-Queue: Henrique Nakashima <hnakashima@chromium.org>
Diffstat (limited to 'fpdfsdk/pwl/cpwl_wnd.h')
-rw-r--r-- | fpdfsdk/pwl/cpwl_wnd.h | 17 |
1 files changed, 12 insertions, 5 deletions
diff --git a/fpdfsdk/pwl/cpwl_wnd.h b/fpdfsdk/pwl/cpwl_wnd.h index c37fa2fff3..38d4ce0918 100644 --- a/fpdfsdk/pwl/cpwl_wnd.h +++ b/fpdfsdk/pwl/cpwl_wnd.h @@ -151,7 +151,9 @@ class CPWL_Wnd : public CPWL_TimerHandler, public Observable<CPWL_Wnd> { ~CPWL_Wnd() override; virtual ByteString GetClassName() const; - virtual void InvalidateRect(CFX_FloatRect* pRect); + + // Returns |true| iff this instance is still allocated. + virtual bool InvalidateRect(CFX_FloatRect* pRect); virtual bool OnKeyDown(uint16_t nChar, uint32_t nFlag); virtual bool OnChar(uint16_t nChar, uint32_t nFlag); @@ -173,7 +175,9 @@ class CPWL_Wnd : public CPWL_TimerHandler, public Observable<CPWL_Wnd> { virtual void SetFocus(); virtual void KillFocus(); virtual void SetCursor(); - virtual void SetVisible(bool bVisible); + + // Returns |true| iff this instance is still allocated. + virtual bool SetVisible(bool bVisible); virtual void SetFontSize(float fFontSize); virtual float GetFontSize() const; @@ -186,7 +190,7 @@ class CPWL_Wnd : public CPWL_TimerHandler, public Observable<CPWL_Wnd> { void InvalidateProvider(ProviderIface* provider); void Create(const CreateParams& cp); void Destroy(); - void Move(const CFX_FloatRect& rcNew, bool bReset, bool bRefresh); + bool Move(const CFX_FloatRect& rcNew, bool bReset, bool bRefresh); void SetCapture(); void ReleaseCapture(); @@ -252,7 +256,9 @@ class CPWL_Wnd : public CPWL_TimerHandler, public Observable<CPWL_Wnd> { CFX_SystemHandler* GetSystemHandler() const override; virtual void CreateChildWnd(const CreateParams& cp); - virtual void RePosChildWnd(); + + // Returns |true| iff this instance is still allocated. + virtual bool RePosChildWnd(); virtual void DrawThisAppearance(CFX_RenderDevice* pDevice, const CFX_Matrix& mtUser2Device); @@ -269,7 +275,8 @@ class CPWL_Wnd : public CPWL_TimerHandler, public Observable<CPWL_Wnd> { bool IsValid() const { return m_bCreated; } const CreateParams& GetCreationParams() const { return m_CreationParams; } - void InvalidateRectMove(const CFX_FloatRect& rcOld, + // Returns |true| iff this instance is still allocated. + bool InvalidateRectMove(const CFX_FloatRect& rcOld, const CFX_FloatRect& rcNew); bool IsWndCaptureMouse(const CPWL_Wnd* pWnd) const; |