summaryrefslogtreecommitdiff
path: root/fpdfsdk/formfiller/cffl_textobject.cpp
AgeCommit message (Collapse)Author
2017-08-23Fixed ASan crash when unloading page with CFFL_ListBox.Henrique Nakashima
The crash was caused by a dangling pointer in CPWL_ListCtrl to the font map owned by CFF_TextObject. The order of events was: 1. ~CFFL_ListBox runs and calls parent destructor ~CFFL_TextObject. 2. ~CFFL_TextObject runs and deletes its member m_pFontMap. m_FontMap was referenced by CPWL_ListCtrl which is now dangling. 3. ~CFFL_TextObject calls parent destructor ~CFFL_FormFiller. 4. ~CFFL_FormFiller calls DestroyWindows(). 5. CFFL_FormFiller::DestroyWindows() deletes widgets, among them CPWL_ListBox. 6. ~CPWL_ListBox deletes its member CPWL_ListCtrl. 7. ~CPWL_ListCtrl sees a dangling pointer to the map and crashes. Making the DestroyWindows() call earlier in the destructor of CFFL_TextObject, we execute steps 5-7 before freeing m_pFontMap. An extra DestroyWindows() is still made in ~CFFL_FormFiller, but it is then non-op if the derived CFFL_TextObject already called it. Bug: chromium:757506 Change-Id: Ib8dce04f1dd0bcf8e10701f6cf7ea500bfb5ba84 Reviewed-on: https://pdfium-review.googlesource.com/11651 Commit-Queue: Henrique Nakashima <hnakashima@chromium.org> Reviewed-by: dsinclair <dsinclair@chromium.org>
2017-08-02Add CFFL_TextField class.chromium/3175Lei Zhang
This class implements common code used by several CFFL_FormFiller sub-classes. Make those sub-classes inherit from CFFL_TextField, instead of inheriting from CFFL_FormFiller directly and then implementing the same functionality multiple times. Change-Id: Iad8a735b6d6e18e89d617636b753805d3f77a286 Reviewed-on: https://pdfium-review.googlesource.com/9850 Commit-Queue: Lei Zhang <thestig@chromium.org> Reviewed-by: Tom Sepez <tsepez@chromium.org>