From 9afcfa46ee07bc22c94d49942f5a61d6a374fd2d Mon Sep 17 00:00:00 2001
From: Ryan Harrison <rharrison@chromium.org>
Date: Tue, 24 Apr 2018 18:44:29 +0000
Subject: Switch declaration order to prevent UAF

This is occuring when the variables go out of scope, due to C++s first
in, last out destruction policy.

BUG=chromium:808333

Change-Id: I44f37520a22720bc23df4c8a72ff73994c37eea1
Reviewed-on: https://pdfium-review.googlesource.com/31278
Commit-Queue: Ryan Harrison <rharrison@chromium.org>
Reviewed-by: Tom Sepez <tsepez@chromium.org>
---
 xfa/fxfa/parser/cxfa_document.cpp | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/xfa/fxfa/parser/cxfa_document.cpp b/xfa/fxfa/parser/cxfa_document.cpp
index c3e73e2f19..6860c83376 100644
--- a/xfa/fxfa/parser/cxfa_document.cpp
+++ b/xfa/fxfa/parser/cxfa_document.cpp
@@ -1511,12 +1511,13 @@ void CXFA_Document::DoProtoMerge() {
   }
 
   for (CXFA_Node* pUseHrefNode : sUseNodes) {
+    // Must outlive the WideStringViews below.
+    WideString wsUseVal =
+        pUseHrefNode->JSObject()->GetCData(XFA_Attribute::Usehref);
     WideStringView wsURI;
     WideStringView wsID;
     WideStringView wsSOM;
 
-    WideString wsUseVal =
-        pUseHrefNode->JSObject()->GetCData(XFA_Attribute::Usehref);
     if (!wsUseVal.IsEmpty()) {
       auto uSharpPos = wsUseVal.Find('#');
       if (!uSharpPos.has_value()) {
-- 
cgit v1.2.3