From 28a4a2410f24910c709578d981cae3bb8153fdba Mon Sep 17 00:00:00 2001 From: dsinclair Date: Mon, 22 Aug 2016 13:36:02 -0700 Subject: Destroy window before cleaning up combobox Currently, when we destroy a CFFL_ComboBox we'll cleanup the fontmap and then call the destructor for the parent type. This will case the PWL_Wnd to be destroyed. In this case, the window is a PWL_Edit. On destruction it will reset the focus which causes the text selection to change, which asks the font map for data but we've already destroyed the font map. This CL forces the destruction of the window earlier in order to have the fontmap available. A followup bug is filed to correct the location of the fontmap so we don't have this dependency. BUG=chromium:637546 Review-Url: https://codereview.chromium.org/2266943002 --- fpdfsdk/formfiller/cffl_combobox.cpp | 5 +++++ fpdfsdk/formfiller/cffl_formfiller.cpp | 4 ++++ fpdfsdk/formfiller/cffl_formfiller.h | 8 ++++++++ fpdfsdk/formfiller/cffl_textfield.cpp | 5 +++++ 4 files changed, 22 insertions(+) diff --git a/fpdfsdk/formfiller/cffl_combobox.cpp b/fpdfsdk/formfiller/cffl_combobox.cpp index 35591cff74..f6aef20c02 100644 --- a/fpdfsdk/formfiller/cffl_combobox.cpp +++ b/fpdfsdk/formfiller/cffl_combobox.cpp @@ -24,6 +24,11 @@ CFFL_ComboBox::CFFL_ComboBox(CPDFDoc_Environment* pApp, CPDFSDK_Annot* pAnnot) CFFL_ComboBox::~CFFL_ComboBox() { for (const auto& it : m_Maps) it.second->InvalidateFocusHandler(this); + + // See comment in cffl_formfiller.h. + // The font map should be stored somewhere more appropriate so it will live + // until the PWL_Edit is done with it. pdfium:566 + DestroyWindows(); delete m_pFontMap; } diff --git a/fpdfsdk/formfiller/cffl_formfiller.cpp b/fpdfsdk/formfiller/cffl_formfiller.cpp index f2c34647d0..92e9282a74 100644 --- a/fpdfsdk/formfiller/cffl_formfiller.cpp +++ b/fpdfsdk/formfiller/cffl_formfiller.cpp @@ -27,6 +27,10 @@ CFFL_FormFiller::CFFL_FormFiller(CPDFDoc_Environment* pApp, } CFFL_FormFiller::~CFFL_FormFiller() { + DestroyWindows(); +} + +void CFFL_FormFiller::DestroyWindows() { for (const auto& it : m_Maps) { CPWL_Wnd* pWnd = it.second; CFFL_PrivateData* pData = (CFFL_PrivateData*)pWnd->GetAttachedData(); diff --git a/fpdfsdk/formfiller/cffl_formfiller.h b/fpdfsdk/formfiller/cffl_formfiller.h index b1e323185b..060eb8f9e7 100644 --- a/fpdfsdk/formfiller/cffl_formfiller.h +++ b/fpdfsdk/formfiller/cffl_formfiller.h @@ -154,6 +154,14 @@ class CFFL_FormFiller : public IPWL_Provider, public CPWL_TimerHandler { protected: using CFFL_PageView2PDFWindow = std::map; + // If the inheriting widget has its own fontmap and a PWL_Edit widget that + // access that fontmap then you have to call DestroyWindows before destroying + // the font map in order to not get a use-after-free. + // + // The font map should be stored somewhere more appropriate so it will live + // until the PWL_Edit is done with it. pdfium:566 + void DestroyWindows(); + CPDFDoc_Environment* m_pApp; CPDFSDK_Widget* m_pWidget; CPDFSDK_Annot* m_pAnnot; diff --git a/fpdfsdk/formfiller/cffl_textfield.cpp b/fpdfsdk/formfiller/cffl_textfield.cpp index aaa096a261..1947940094 100644 --- a/fpdfsdk/formfiller/cffl_textfield.cpp +++ b/fpdfsdk/formfiller/cffl_textfield.cpp @@ -17,6 +17,11 @@ CFFL_TextField::CFFL_TextField(CPDFDoc_Environment* pApp, CPDFSDK_Annot* pAnnot) CFFL_TextField::~CFFL_TextField() { for (const auto& it : m_Maps) it.second->InvalidateFocusHandler(this); + + // See comment in cffl_formfiller.h. + // The font map should be stored somewhere more appropriate so it will live + // until the PWL_Edit is done with it. pdfium:566 + DestroyWindows(); } PWL_CREATEPARAM CFFL_TextField::GetCreateParam() { -- cgit v1.2.3