diff options
| -rw-r--r-- | fpdfsdk/formfiller/cffl_combobox.cpp | 5 | ||||
| -rw-r--r-- | fpdfsdk/formfiller/cffl_formfiller.cpp | 4 | ||||
| -rw-r--r-- | fpdfsdk/formfiller/cffl_formfiller.h | 8 | ||||
| -rw-r--r-- | fpdfsdk/formfiller/cffl_textfield.cpp | 5 |
4 files changed, 22 insertions, 0 deletions
diff --git a/fpdfsdk/formfiller/cffl_combobox.cpp b/fpdfsdk/formfiller/cffl_combobox.cpp index 35591cff74..f6aef20c02 100644 --- a/fpdfsdk/formfiller/cffl_combobox.cpp +++ b/fpdfsdk/formfiller/cffl_combobox.cpp @@ -24,6 +24,11 @@ CFFL_ComboBox::CFFL_ComboBox(CPDFDoc_Environment* pApp, CPDFSDK_Annot* pAnnot) CFFL_ComboBox::~CFFL_ComboBox() { for (const auto& it : m_Maps) it.second->InvalidateFocusHandler(this); + + // See comment in cffl_formfiller.h. + // The font map should be stored somewhere more appropriate so it will live + // until the PWL_Edit is done with it. pdfium:566 + DestroyWindows(); delete m_pFontMap; } diff --git a/fpdfsdk/formfiller/cffl_formfiller.cpp b/fpdfsdk/formfiller/cffl_formfiller.cpp index f2c34647d0..92e9282a74 100644 --- a/fpdfsdk/formfiller/cffl_formfiller.cpp +++ b/fpdfsdk/formfiller/cffl_formfiller.cpp @@ -27,6 +27,10 @@ CFFL_FormFiller::CFFL_FormFiller(CPDFDoc_Environment* pApp, } CFFL_FormFiller::~CFFL_FormFiller() { + DestroyWindows(); +} + +void CFFL_FormFiller::DestroyWindows() { for (const auto& it : m_Maps) { CPWL_Wnd* pWnd = it.second; CFFL_PrivateData* pData = (CFFL_PrivateData*)pWnd->GetAttachedData(); diff --git a/fpdfsdk/formfiller/cffl_formfiller.h b/fpdfsdk/formfiller/cffl_formfiller.h index b1e323185b..060eb8f9e7 100644 --- a/fpdfsdk/formfiller/cffl_formfiller.h +++ b/fpdfsdk/formfiller/cffl_formfiller.h @@ -154,6 +154,14 @@ class CFFL_FormFiller : public IPWL_Provider, public CPWL_TimerHandler { protected: using CFFL_PageView2PDFWindow = std::map<CPDFSDK_PageView*, CPWL_Wnd*>; + // If the inheriting widget has its own fontmap and a PWL_Edit widget that + // access that fontmap then you have to call DestroyWindows before destroying + // the font map in order to not get a use-after-free. + // + // The font map should be stored somewhere more appropriate so it will live + // until the PWL_Edit is done with it. pdfium:566 + void DestroyWindows(); + CPDFDoc_Environment* m_pApp; CPDFSDK_Widget* m_pWidget; CPDFSDK_Annot* m_pAnnot; diff --git a/fpdfsdk/formfiller/cffl_textfield.cpp b/fpdfsdk/formfiller/cffl_textfield.cpp index aaa096a261..1947940094 100644 --- a/fpdfsdk/formfiller/cffl_textfield.cpp +++ b/fpdfsdk/formfiller/cffl_textfield.cpp @@ -17,6 +17,11 @@ CFFL_TextField::CFFL_TextField(CPDFDoc_Environment* pApp, CPDFSDK_Annot* pAnnot) CFFL_TextField::~CFFL_TextField() { for (const auto& it : m_Maps) it.second->InvalidateFocusHandler(this); + + // See comment in cffl_formfiller.h. + // The font map should be stored somewhere more appropriate so it will live + // until the PWL_Edit is done with it. pdfium:566 + DestroyWindows(); } PWL_CREATEPARAM CFFL_TextField::GetCreateParam() { |