From 0924119cae45955525b25c915b3eda90d3e3bd20 Mon Sep 17 00:00:00 2001 From: Henrique Nakashima Date: Tue, 22 Aug 2017 17:28:17 -0400 Subject: Fixed ASan crash when unloading page with CFFL_ListBox. The crash was caused by a dangling pointer in CPWL_ListCtrl to the font map owned by CFF_TextObject. The order of events was: 1. ~CFFL_ListBox runs and calls parent destructor ~CFFL_TextObject. 2. ~CFFL_TextObject runs and deletes its member m_pFontMap. m_FontMap was referenced by CPWL_ListCtrl which is now dangling. 3. ~CFFL_TextObject calls parent destructor ~CFFL_FormFiller. 4. ~CFFL_FormFiller calls DestroyWindows(). 5. CFFL_FormFiller::DestroyWindows() deletes widgets, among them CPWL_ListBox. 6. ~CPWL_ListBox deletes its member CPWL_ListCtrl. 7. ~CPWL_ListCtrl sees a dangling pointer to the map and crashes. Making the DestroyWindows() call earlier in the destructor of CFFL_TextObject, we execute steps 5-7 before freeing m_pFontMap. An extra DestroyWindows() is still made in ~CFFL_FormFiller, but it is then non-op if the derived CFFL_TextObject already called it. Bug: chromium:757506 Change-Id: Ib8dce04f1dd0bcf8e10701f6cf7ea500bfb5ba84 Reviewed-on: https://pdfium-review.googlesource.com/11651 Commit-Queue: Henrique Nakashima Reviewed-by: dsinclair --- fpdfsdk/formfiller/cffl_textobject.cpp | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/fpdfsdk/formfiller/cffl_textobject.cpp b/fpdfsdk/formfiller/cffl_textobject.cpp index d84557eb88..df2f5e5a92 100644 --- a/fpdfsdk/formfiller/cffl_textobject.cpp +++ b/fpdfsdk/formfiller/cffl_textobject.cpp @@ -24,7 +24,11 @@ CFFL_TextObject::CFFL_TextObject(CPDFSDK_FormFillEnvironment* pApp, CPDFSDK_Widget* pWidget) : CFFL_FormFiller(pApp, pWidget) {} -CFFL_TextObject::~CFFL_TextObject() {} +CFFL_TextObject::~CFFL_TextObject() { + // Destroy view classes before this object's members are destroyed since + // the view classes have pointers to m_pFontMap that would be left dangling. + DestroyWindows(); +} CBA_FontMap* CFFL_TextObject::MaybeCreateFontMap() { if (!m_pFontMap) { -- cgit v1.2.3