diff options
author | Henrique Nakashima <hnakashima@chromium.org> | 2017-08-22 17:28:17 -0400 |
---|---|---|
committer | Chromium commit bot <commit-bot@chromium.org> | 2017-08-23 20:49:50 +0000 |
commit | 0924119cae45955525b25c915b3eda90d3e3bd20 (patch) | |
tree | 5b570b3b9b29db4e64fd845c8bc95da00719a4d3 /third_party/libpng16/0004-invalid-icc.patch | |
parent | e9fcd8e242d6fa655ca5a576a3dde9abbda24b64 (diff) | |
download | pdfium-0924119cae45955525b25c915b3eda90d3e3bd20.tar.xz |
Fixed ASan crash when unloading page with CFFL_ListBox.
The crash was caused by a dangling pointer in CPWL_ListCtrl to
the font map owned by CFF_TextObject. The order of events was:
1. ~CFFL_ListBox runs and calls parent destructor ~CFFL_TextObject.
2. ~CFFL_TextObject runs and deletes its member m_pFontMap. m_FontMap
was referenced by CPWL_ListCtrl which is now dangling.
3. ~CFFL_TextObject calls parent destructor ~CFFL_FormFiller.
4. ~CFFL_FormFiller calls DestroyWindows().
5. CFFL_FormFiller::DestroyWindows() deletes widgets, among them
CPWL_ListBox.
6. ~CPWL_ListBox deletes its member CPWL_ListCtrl.
7. ~CPWL_ListCtrl sees a dangling pointer to the map and crashes.
Making the DestroyWindows() call earlier in the destructor of
CFFL_TextObject, we execute steps 5-7 before freeing m_pFontMap.
An extra DestroyWindows() is still made in ~CFFL_FormFiller, but
it is then non-op if the derived CFFL_TextObject already called it.
Bug: chromium:757506
Change-Id: Ib8dce04f1dd0bcf8e10701f6cf7ea500bfb5ba84
Reviewed-on: https://pdfium-review.googlesource.com/11651
Commit-Queue: Henrique Nakashima <hnakashima@chromium.org>
Reviewed-by: dsinclair <dsinclair@chromium.org>
Diffstat (limited to 'third_party/libpng16/0004-invalid-icc.patch')
0 files changed, 0 insertions, 0 deletions