summaryrefslogtreecommitdiff
path: root/fpdfsdk
diff options
context:
space:
mode:
authortsepez <tsepez@chromium.org>2017-01-12 11:15:04 -0800
committerCommit bot <commit-bot@chromium.org>2017-01-12 11:15:04 -0800
commit192497124e7cde747ade7bf89028586eea293be5 (patch)
tree2f287d34769d464e33c3cae76e7b94c78729e244 /fpdfsdk
parent73debd4d226114b88430f2cc30dac056be5c13f3 (diff)
downloadpdfium-192497124e7cde747ade7bf89028586eea293be5.tar.xz
Custom toString() methods may delete annots.
In this case, we observe the destruction of the object, but have unfortunately saved a pointer to it in a local variable. BUG=679643 Review-Url: https://codereview.chromium.org/2628233002
Diffstat (limited to 'fpdfsdk')
-rw-r--r--fpdfsdk/javascript/Annot.cpp49
-rw-r--r--fpdfsdk/javascript/JS_Value.h5
2 files changed, 33 insertions, 21 deletions
diff --git a/fpdfsdk/javascript/Annot.cpp b/fpdfsdk/javascript/Annot.cpp
index 0c16b3b05a..1aef4634f2 100644
--- a/fpdfsdk/javascript/Annot.cpp
+++ b/fpdfsdk/javascript/Annot.cpp
@@ -38,20 +38,24 @@ Annot::Annot(CJS_Object* pJSObject) : CJS_EmbedObj(pJSObject) {}
Annot::~Annot() {}
bool Annot::hidden(IJS_Context* cc, CJS_PropValue& vp, CFX_WideString& sError) {
- CPDFSDK_BAAnnot* baAnnot = ToBAAnnot(m_pAnnot.Get());
- if (!baAnnot)
- return false;
-
if (vp.IsGetting()) {
- CPDF_Annot* pPDFAnnot = baAnnot->GetPDFAnnot();
+ if (!m_pAnnot) {
+ sError = JSGetStringFromID(IDS_STRING_JSBADOBJECT);
+ return false;
+ }
+ CPDF_Annot* pPDFAnnot = ToBAAnnot(m_pAnnot.Get())->GetPDFAnnot();
vp << CPDF_Annot::IsAnnotationHidden(pPDFAnnot->GetAnnotDict());
return true;
}
bool bHidden;
- vp >> bHidden;
+ vp >> bHidden; // May invalidate m_pAnnot.
+ if (!m_pAnnot) {
+ sError = JSGetStringFromID(IDS_STRING_JSBADOBJECT);
+ return false;
+ }
- uint32_t flags = baAnnot->GetFlags();
+ uint32_t flags = ToBAAnnot(m_pAnnot.Get())->GetFlags();
if (bHidden) {
flags |= ANNOTFLAG_HIDDEN;
flags |= ANNOTFLAG_INVISIBLE;
@@ -63,23 +67,28 @@ bool Annot::hidden(IJS_Context* cc, CJS_PropValue& vp, CFX_WideString& sError) {
flags &= ~ANNOTFLAG_NOVIEW;
flags |= ANNOTFLAG_PRINT;
}
- baAnnot->SetFlags(flags);
+ ToBAAnnot(m_pAnnot.Get())->SetFlags(flags);
return true;
}
bool Annot::name(IJS_Context* cc, CJS_PropValue& vp, CFX_WideString& sError) {
- CPDFSDK_BAAnnot* baAnnot = ToBAAnnot(m_pAnnot.Get());
- if (!baAnnot)
- return false;
-
if (vp.IsGetting()) {
- vp << baAnnot->GetAnnotName();
+ if (!m_pAnnot) {
+ sError = JSGetStringFromID(IDS_STRING_JSBADOBJECT);
+ return false;
+ }
+ vp << ToBAAnnot(m_pAnnot.Get())->GetAnnotName();
return true;
}
CFX_WideString annotName;
- vp >> annotName;
- baAnnot->SetAnnotName(annotName);
+ vp >> annotName; // May invalidate m_pAnnot.
+ if (!m_pAnnot) {
+ sError = JSGetStringFromID(IDS_STRING_JSBADOBJECT);
+ return false;
+ }
+
+ ToBAAnnot(m_pAnnot.Get())->SetAnnotName(annotName);
return true;
}
@@ -88,12 +97,12 @@ bool Annot::type(IJS_Context* cc, CJS_PropValue& vp, CFX_WideString& sError) {
sError = JSGetStringFromID(IDS_STRING_JSREADONLY);
return false;
}
-
- CPDFSDK_BAAnnot* baAnnot = ToBAAnnot(m_pAnnot.Get());
- if (!baAnnot)
+ if (!m_pAnnot) {
+ sError = JSGetStringFromID(IDS_STRING_JSBADOBJECT);
return false;
-
- vp << CPDF_Annot::AnnotSubtypeToString(baAnnot->GetAnnotSubtype());
+ }
+ vp << CPDF_Annot::AnnotSubtypeToString(
+ ToBAAnnot(m_pAnnot.Get())->GetAnnotSubtype());
return true;
}
diff --git a/fpdfsdk/javascript/JS_Value.h b/fpdfsdk/javascript/JS_Value.h
index ff2c620980..313f0c3e7b 100644
--- a/fpdfsdk/javascript/JS_Value.h
+++ b/fpdfsdk/javascript/JS_Value.h
@@ -92,6 +92,7 @@ class CJS_PropValue {
CJS_Runtime* GetJSRuntime() const { return m_pJSRuntime; }
CJS_Value* GetJSValue() { return &m_Value; }
+ // These calls may re-enter JS (and hence invalidate objects).
void operator<<(int val);
void operator>>(int&) const;
void operator<<(bool val);
@@ -127,13 +128,15 @@ class CJS_Array {
virtual ~CJS_Array();
void Attach(v8::Local<v8::Array> pArray);
+ int GetLength(CJS_Runtime* pRuntime) const;
+
+ // These two calls may re-enter JS (and hence invalidate objects).
void GetElement(CJS_Runtime* pRuntime,
unsigned index,
CJS_Value& value) const;
void SetElement(CJS_Runtime* pRuntime,
unsigned index,
const CJS_Value& value);
- int GetLength(CJS_Runtime* pRuntime) const;
v8::Local<v8::Array> ToV8Array(CJS_Runtime* pRuntime) const;