diff options
| author | Tom Sepez <tsepez@chromium.org> | 2015-09-09 09:58:10 -0700 |
|---|---|---|
| committer | Tom Sepez <tsepez@chromium.org> | 2015-09-09 09:58:10 -0700 |
| commit | 9241e5a43990859f6f9a94aaa2c488d0451039e3 (patch) | |
| tree | d59fa133dccca79cb9b2e9da5930cae8aa6ad75e /testing/embedder_test.cpp | |
| parent | 343dbb841f4c12e819932e2b66dd70f817337d97 (diff) | |
| download | pdfium-9241e5a43990859f6f9a94aaa2c488d0451039e3.tar.xz | |
Fix heap use after free in CPDFSDK_Annot::GetPDFAnnot.
Use two seperate loops to kill current focus annot and to release annots
in current page. Loop to kill current focus annot is run first, so it
will not access deleted annots.
BUG=507316
R=tsepez@chromium.org
TEST=Reproduction steps mentioned in issue 507316 should not crash
chrome.
Unit test added to pdfium.
Run pdfium_embeddertests.exe.
Review URL: https://codereview.chromium.org/1312313006 .
Diffstat (limited to 'testing/embedder_test.cpp')
| -rw-r--r-- | testing/embedder_test.cpp | 34 |
1 files changed, 34 insertions, 0 deletions
diff --git a/testing/embedder_test.cpp b/testing/embedder_test.cpp index 1476522e57..eb16bc70f9 100644 --- a/testing/embedder_test.cpp +++ b/testing/embedder_test.cpp @@ -221,6 +221,7 @@ bool EmbedderTest::OpenDocument(const std::string& filename) { formfillinfo->version = 1; formfillinfo->FFI_SetTimer = SetTimerTrampoline; formfillinfo->FFI_KillTimer = KillTimerTrampoline; + formfillinfo->FFI_GetPage = GetPageTrampoline; formfillinfo->m_pJsPlatform = platform; form_handle_ = FPDFDOC_InitFormFillEnvironment(document_, formfillinfo); @@ -259,6 +260,15 @@ FPDF_PAGE EmbedderTest::LoadPage(int page_number) { return page; } +FPDF_PAGE EmbedderTest::LoadAndCachePage(int page_number) { + FPDF_PAGE page = delegate_->GetPage(form_handle_, document_, page_number); + if (!page) { + return nullptr; + } + FORM_DoPageAAction(page, form_handle_, FPDFPAGE_AACTION_OPEN); + return page; +} + FPDF_BITMAP EmbedderTest::RenderPage(FPDF_PAGE page) { int width = static_cast<int>(FPDF_GetPageWidth(page)); int height = static_cast<int>(FPDF_GetPageHeight(page)); @@ -275,6 +285,22 @@ void EmbedderTest::UnloadPage(FPDF_PAGE page) { FPDF_ClosePage(page); } +FPDF_PAGE EmbedderTest::Delegate::GetPage(FPDF_FORMHANDLE form_handle, + FPDF_DOCUMENT document, + int page_index) { + auto it = m_pageMap.find(page_index); + if (it != m_pageMap.end()) { + return it->second; + } + FPDF_PAGE page = FPDF_LoadPage(document, page_index); + if (!page) { + return nullptr; + } + m_pageMap[page_index] = page; + FORM_OnAfterLoadPage(page, form_handle); + return page; +} + // static void EmbedderTest::UnsupportedHandlerTrampoline(UNSUPPORT_INFO* info, int type) { @@ -306,6 +332,14 @@ void EmbedderTest::KillTimerTrampoline(FPDF_FORMFILLINFO* info, int id) { return test->delegate_->KillTimer(id); } +// static +FPDF_PAGE EmbedderTest::GetPageTrampoline(FPDF_FORMFILLINFO* info, + FPDF_DOCUMENT document, + int page_index) { + EmbedderTest* test = static_cast<EmbedderTest*>(info); + return test->delegate_->GetPage(test->m_pFormfillinfo, document, page_index); +} + // Can't use gtest-provided main since we need to stash the path to the // executable in order to find the external V8 binary data files. int main(int argc, char** argv) { |