summaryrefslogtreecommitdiff
path: root/testing/resources/javascript
diff options
context:
space:
mode:
authortsepez <tsepez@chromium.org>2017-01-12 11:15:04 -0800
committerCommit bot <commit-bot@chromium.org>2017-01-12 11:15:04 -0800
commit192497124e7cde747ade7bf89028586eea293be5 (patch)
tree2f287d34769d464e33c3cae76e7b94c78729e244 /testing/resources/javascript
parent73debd4d226114b88430f2cc30dac056be5c13f3 (diff)
downloadpdfium-192497124e7cde747ade7bf89028586eea293be5.tar.xz
Custom toString() methods may delete annots.
In this case, we observe the destruction of the object, but have unfortunately saved a pointer to it in a local variable. BUG=679643 Review-Url: https://codereview.chromium.org/2628233002
Diffstat (limited to 'testing/resources/javascript')
-rw-r--r--testing/resources/javascript/bug_679643.in135
-rw-r--r--testing/resources/javascript/bug_679643_expected.txt3
2 files changed, 138 insertions, 0 deletions
diff --git a/testing/resources/javascript/bug_679643.in b/testing/resources/javascript/bug_679643.in
new file mode 100644
index 0000000000..e9643860f7
--- /dev/null
+++ b/testing/resources/javascript/bug_679643.in
@@ -0,0 +1,135 @@
+{{header}}
+{{object 1 0}} <<
+ /Type /Catalog
+ /Pages 2 0 R
+ /AcroForm 4 0 R
+ /OpenAction 10 0 R
+>>
+endobj
+{{object 2 0}} <<
+ /Type /Pages
+ /Count 1
+ /Kids [
+ 3 0 R
+ ]
+>>
+endobj
+% Page number 0.
+{{object 3 0}} <<
+ /Type /Page
+ /Parent 2 0 R
+ /Resources <<
+ /Font <</F1 15 0 R>>
+ >>
+ /Contents [21 0 R]
+ /MediaBox [0 0 612 792]
+ /Annots [7 0 R 8 0 R 9 0 R]
+>>
+endobj
+% Forms
+{{object 4 0}} <<
+ /XFA [
+ (xdp:xdp) 23 0 R
+ (form) 29 0 R
+ (</xdp:xdp>) 30 0 R
+ ]
+ /Fields [
+ 5 0 R
+ ]
+>>
+endobj
+% Fields
+{{object 5 0}} <<
+ /T (MyField)
+ /Kids [
+ 6 0 R
+ ]
+ /Rect [100 100 400 400]
+>>
+endobj
+{{object 6 0}} <<
+ /Parent 5 0 R
+ /FT /Btn
+ /Kids [
+ 7 0 R
+ 8 0 R
+ 9 0 R
+ ]
+ /Rect [200 200 220 220]
+>>
+endobj
+{{object 7 0}} <<
+ /Parent 6 0 R
+ /Type /Annot
+ /Subtype /Widget
+ /Rect [220 220 240 240]
+>>
+endobj
+{{object 8 0}} <<
+ /Parent 6 0 R
+ /Type /Annot
+ /Subtype /Widget
+ /Rect [240 240 260 260]
+>>
+endobj
+{{object 9 0}} <<
+ /Parent 6 0 R
+ /Type /Annot
+ /Subtype /Widget
+ /Rect [240 240 260 260]
+>>
+endobj
+% OpenAction action
+{{object 10 0}} <<
+ /Type /Action
+ /S /JavaScript
+ /JS 11 0 R
+>>
+endobj
+% JS program to exexute
+{{object 11 0}} <<
+>>
+stream
+var theName = "MyField";
+function Mangles() {
+ app.alert('Starting ...');
+ try {
+ var annots = this.getAnnots();
+ annots[0].name = {
+ toString: () => {
+ app.alert('Firing ...');
+ this.removeField(theName);
+ gc();
+ return false;
+ }
+ };
+ } catch (e) {
+ app.alert("failed: " + e);
+ }
+}
+Mangles();
+endstream
+endobj
+{{object 23 0}} <<
+>>stream
+<?xml version="1.0" encoding="UTF-8"?>
+<xdp:xdp xmlns:xdp="http://ns.adobe.com/xdp/">
+endstream
+endobj
+{{object 29 0}} <<
+>>stream
+<config></config>
+<template></template>
+endstream
+endobj
+{{object 30 0}} <<
+>>stream
+</xdp:xdp>
+endstream
+endobj
+{{xref}}
+trailer <<
+ /Root 1 0 R
+>>
+{{startxref}}
+%%EOF
diff --git a/testing/resources/javascript/bug_679643_expected.txt b/testing/resources/javascript/bug_679643_expected.txt
new file mode 100644
index 0000000000..36d4a31344
--- /dev/null
+++ b/testing/resources/javascript/bug_679643_expected.txt
@@ -0,0 +1,3 @@
+Alert: Starting ...
+Alert: Firing ...
+Alert: failed: Annot.name: Object no longer exists.