diff options
author | Tom Sepez <tsepez@chromium.org> | 2015-06-02 10:09:49 -0700 |
---|---|---|
committer | Tom Sepez <tsepez@chromium.org> | 2015-06-02 10:09:49 -0700 |
commit | 4ff7a4246c81a71b4f878e959b3ca304cd76ec8a (patch) | |
tree | 2a8002655a6300e69408d08196bb86a6f1b0145f /fpdfsdk/src/pdfwindow | |
parent | 8e1b60824d079546c8cc3f0e3d9fa0ea9fa980fa (diff) | |
download | pdfium-4ff7a4246c81a71b4f878e959b3ca304cd76ec8a.tar.xz |
Fix heap use after free in Document::DoFieldDelay and Document::delay
This fix removes CJS_DelayData object from m_DelayData array and copies them to
a new array, before processing them. So contents of m_DelayData array cannot be
used after they get freed.
BUG=487928
R=tsepez@chromium.org
TEST= Chrome pdf plugin should not crash when poc_stable,testuafdocument1.pdf
and testuafdocument2.pdf are viewed.
see crbug.com/487928 and crbug.com/487928#c18 for more details.
Review URL: https://codereview.chromium.org/1163823002
Diffstat (limited to 'fpdfsdk/src/pdfwindow')
0 files changed, 0 insertions, 0 deletions