diff options
| author | Henrique Nakashima <hnakashima@chromium.org> | 2017-09-22 12:23:47 -0400 |
|---|---|---|
| committer | Chromium commit bot <commit-bot@chromium.org> | 2017-09-22 18:22:06 +0000 |
| commit | f5777a117a7557507616eaf585de5eb266531e16 (patch) | |
| tree | 6aa102811db0d7e110acb38915699177efcab77f /fpdfsdk | |
| parent | 92827b695a69c7a3fd5940dc0aa1713fe3f3ee96 (diff) | |
| download | pdfium-f5777a117a7557507616eaf585de5eb266531e16.tar.xz | |
Fix UAF after destroying a widget during OnBeforeKeyStroke().chromium/3223
Bug: chromium:766957
Change-Id: I61b282059fb4fc2c8ba6dafc502f030f31dd324d
Reviewed-on: https://pdfium-review.googlesource.com/14710
Commit-Queue: Henrique Nakashima <hnakashima@chromium.org>
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Diffstat (limited to 'fpdfsdk')
| -rw-r--r-- | fpdfsdk/pwl/cpwl_edit.cpp | 11 | ||||
| -rw-r--r-- | fpdfsdk/pwl/cpwl_list_box.cpp | 6 |
2 files changed, 17 insertions, 0 deletions
diff --git a/fpdfsdk/pwl/cpwl_edit.cpp b/fpdfsdk/pwl/cpwl_edit.cpp index 0b74a1896e..662c69e369 100644 --- a/fpdfsdk/pwl/cpwl_edit.cpp +++ b/fpdfsdk/pwl/cpwl_edit.cpp @@ -481,11 +481,17 @@ bool CPWL_Edit::OnKeyDown(uint16_t nChar, uint32_t nFlag) { if (nSelStart == nSelEnd) nSelEnd = nSelStart + 1; + CPWL_Wnd::ObservedPtr thisObserved(this); + bool bRC; bool bExit; std::tie(bRC, bExit) = m_pFillerNotify->OnBeforeKeyStroke( GetAttachedData(), strChange, strChangeEx, nSelStart, nSelEnd, true, nFlag); + + if (!thisObserved) + return false; + if (!bRC) return false; if (bExit) @@ -558,10 +564,15 @@ bool CPWL_Edit::OnChar(uint16_t nChar, uint32_t nFlag) { break; } + CPWL_Wnd::ObservedPtr thisObserved(this); + WideString strChangeEx; std::tie(bRC, bExit) = m_pFillerNotify->OnBeforeKeyStroke( GetAttachedData(), swChange, strChangeEx, nSelStart, nSelEnd, true, nFlag); + + if (!thisObserved) + return false; } } diff --git a/fpdfsdk/pwl/cpwl_list_box.cpp b/fpdfsdk/pwl/cpwl_list_box.cpp index b5c629392b..c8f7be995d 100644 --- a/fpdfsdk/pwl/cpwl_list_box.cpp +++ b/fpdfsdk/pwl/cpwl_list_box.cpp @@ -260,6 +260,8 @@ bool CPWL_ListBox::OnNotifySelectionChanged(bool bKeyDown, uint32_t nFlag) { if (!m_pFillerNotify) return false; + CPWL_Wnd::ObservedPtr thisObserved(this); + WideString swChange = GetText(); WideString strChangeEx; int nSelStart = 0; @@ -269,6 +271,10 @@ bool CPWL_ListBox::OnNotifySelectionChanged(bool bKeyDown, uint32_t nFlag) { std::tie(bRC, bExit) = m_pFillerNotify->OnBeforeKeyStroke( GetAttachedData(), swChange, strChangeEx, nSelStart, nSelEnd, bKeyDown, nFlag); + + if (!thisObserved) + return false; + return bExit; } |