Age | Commit message (Collapse) | Author |
|
If somehow different length values could be obtained by two successive calls
to Doc_getFilePath() (and FieldBrowse() for that matter), and the method is
true to the API documentation that says "The return value always indicated
number of bytes required for the buffer, even when there is no buffer
specified, or the buffer size is less then required", then it is possible
to get a returned length describing memory beyond the current buffer.
We can make the corresponding JS_docGetFilePath() method more robust against
this case by applying better checks to the returned value.
This probably is unrelated since ASAN seems to be flagging the corresponding bug
as UAF, but doesn't hurt to make things more robust.
BUG=392956
R=jun_fang@foxitsoftware.com
Review URL: https://codereview.chromium.org/423233002
|
|
Calling `delete` on an object of a type that has virtual functions but
not a virtual destructor is questionable: Since the object has virtual functions,
it likely has subclasses, so if it's deleted through the base pointer and the
destructor isn't virtual, the subclass destructor won't be called.
In most cases, the classes getting deleted can just be marked final to tell
the compiler that it can't possibly have subclasses (this also enables the
compiler to generate better code).
Two classes didn't have any sub- or superclasses but virtual functions -
this doesn't make sense, so make all methods of these classes non-virtual.
(Also delete an unused function on one of the two classes.)
In one case, a class actually did have a subclass that needs to be deleted
virtually, so mark one destructor as virtual.
BUG=none
R=bo_xu@foxitsoftware.com
Review URL: https://codereview.chromium.org/370853002
|
|
BUG=382639
R=mdempsky@chromium.org
Review URL: https://codereview.chromium.org/354673002
|
|
|
|
|