summaryrefslogtreecommitdiff
path: root/third_party/libtiff/0020-upstream-security-fixes.patch
diff options
context:
space:
mode:
authorHenrique Nakashima <hnakashima@chromium.org>2017-08-22 17:28:17 -0400
committerChromium commit bot <commit-bot@chromium.org>2017-08-23 20:49:50 +0000
commit0924119cae45955525b25c915b3eda90d3e3bd20 (patch)
tree5b570b3b9b29db4e64fd845c8bc95da00719a4d3 /third_party/libtiff/0020-upstream-security-fixes.patch
parente9fcd8e242d6fa655ca5a576a3dde9abbda24b64 (diff)
downloadpdfium-0924119cae45955525b25c915b3eda90d3e3bd20.tar.xz
Fixed ASan crash when unloading page with CFFL_ListBox.
The crash was caused by a dangling pointer in CPWL_ListCtrl to the font map owned by CFF_TextObject. The order of events was: 1. ~CFFL_ListBox runs and calls parent destructor ~CFFL_TextObject. 2. ~CFFL_TextObject runs and deletes its member m_pFontMap. m_FontMap was referenced by CPWL_ListCtrl which is now dangling. 3. ~CFFL_TextObject calls parent destructor ~CFFL_FormFiller. 4. ~CFFL_FormFiller calls DestroyWindows(). 5. CFFL_FormFiller::DestroyWindows() deletes widgets, among them CPWL_ListBox. 6. ~CPWL_ListBox deletes its member CPWL_ListCtrl. 7. ~CPWL_ListCtrl sees a dangling pointer to the map and crashes. Making the DestroyWindows() call earlier in the destructor of CFFL_TextObject, we execute steps 5-7 before freeing m_pFontMap. An extra DestroyWindows() is still made in ~CFFL_FormFiller, but it is then non-op if the derived CFFL_TextObject already called it. Bug: chromium:757506 Change-Id: Ib8dce04f1dd0bcf8e10701f6cf7ea500bfb5ba84 Reviewed-on: https://pdfium-review.googlesource.com/11651 Commit-Queue: Henrique Nakashima <hnakashima@chromium.org> Reviewed-by: dsinclair <dsinclair@chromium.org>
Diffstat (limited to 'third_party/libtiff/0020-upstream-security-fixes.patch')
0 files changed, 0 insertions, 0 deletions