From 26d87f53b5c1e7169455fdaf8e2305e3b9fcbb54 Mon Sep 17 00:00:00 2001
From: Henrique Nakashima <hnakashima@chromium.org>
Date: Tue, 26 Sep 2017 16:44:20 -0400
Subject: [Merge M62] Fix UAF after destroying a widget during
 OnBeforeKeyStroke().

> Bug: chromium:766957
> Change-Id: I61b282059fb4fc2c8ba6dafc502f030f31dd324d
> Reviewed-on: https://pdfium-review.googlesource.com/14710
> Commit-Queue: Henrique Nakashima <hnakashima@chromium.org>
> Reviewed-by: Tom Sepez <tsepez@chromium.org>

Change-Id: I1dae26d28dd5720b57d8696a77fe3b514646edcd
Reviewed-on: https://pdfium-review.googlesource.com/14835
Commit-Queue: Henrique Nakashima <hnakashima@chromium.org>
Commit-Queue: dsinclair <dsinclair@chromium.org>
Reviewed-by: dsinclair <dsinclair@chromium.org>
---
 fpdfsdk/pwl/cpwl_edit.cpp     | 11 +++++++++++
 fpdfsdk/pwl/cpwl_list_box.cpp |  6 ++++++
 2 files changed, 17 insertions(+)

diff --git a/fpdfsdk/pwl/cpwl_edit.cpp b/fpdfsdk/pwl/cpwl_edit.cpp
index 4558e432ac..0a2aff643b 100644
--- a/fpdfsdk/pwl/cpwl_edit.cpp
+++ b/fpdfsdk/pwl/cpwl_edit.cpp
@@ -473,11 +473,17 @@ bool CPWL_Edit::OnKeyDown(uint16_t nChar, uint32_t nFlag) {
       if (nSelStart == nSelEnd)
         nSelEnd = nSelStart + 1;
 
+      CPWL_Wnd::ObservedPtr thisObserved(this);
+
       bool bRC;
       bool bExit;
       std::tie(bRC, bExit) = m_pFillerNotify->OnBeforeKeyStroke(
           GetAttachedData(), strChange, strChangeEx, nSelStart, nSelEnd, true,
           nFlag);
+
+      if (!thisObserved)
+        return false;
+
       if (!bRC)
         return false;
       if (bExit)
@@ -550,10 +556,15 @@ bool CPWL_Edit::OnChar(uint16_t nChar, uint32_t nFlag) {
           break;
       }
 
+      CPWL_Wnd::ObservedPtr thisObserved(this);
+
       CFX_WideString strChangeEx;
       std::tie(bRC, bExit) = m_pFillerNotify->OnBeforeKeyStroke(
           GetAttachedData(), swChange, strChangeEx, nSelStart, nSelEnd, true,
           nFlag);
+
+      if (!thisObserved)
+        return false;
     }
   }
 
diff --git a/fpdfsdk/pwl/cpwl_list_box.cpp b/fpdfsdk/pwl/cpwl_list_box.cpp
index a9c553ee5b..6cbf73ed16 100644
--- a/fpdfsdk/pwl/cpwl_list_box.cpp
+++ b/fpdfsdk/pwl/cpwl_list_box.cpp
@@ -260,6 +260,8 @@ bool CPWL_ListBox::OnNotifySelectionChanged(bool bKeyDown, uint32_t nFlag) {
   if (!m_pFillerNotify)
     return false;
 
+  CPWL_Wnd::ObservedPtr thisObserved(this);
+
   CFX_WideString swChange = GetText();
   CFX_WideString strChangeEx;
   int nSelStart = 0;
@@ -269,6 +271,10 @@ bool CPWL_ListBox::OnNotifySelectionChanged(bool bKeyDown, uint32_t nFlag) {
   std::tie(bRC, bExit) = m_pFillerNotify->OnBeforeKeyStroke(
       GetAttachedData(), swChange, strChangeEx, nSelStart, nSelEnd, bKeyDown,
       nFlag);
+
+  if (!thisObserved)
+    return false;
+
   return bExit;
 }
 
-- 
cgit v1.2.3