From adb19b0b11ab16a406d23797564fc0ec3a5da245 Mon Sep 17 00:00:00 2001 From: Artem Strygin Date: Wed, 4 Oct 2017 19:43:10 +0300 Subject: Fix Heap-use-after-free in CPDF_SecurityHandler::~CPDF_SecurityHandler. The CPDF_SecurityHandler contains unowned reference to "ID" array, which is owned by main trailer. Main trailer is owned by CPDF_Parser::m_TrailerData To fix this issue set m_TrailerData before m_pSecurityHandler(CPDF_SecurityHandler) in CPDF_Parser members list. Bug: chromium:771479 Change-Id: I38413ba16b1454ac775c8a07b126fa3b86714c1b Reviewed-on: https://pdfium-review.googlesource.com/15430 Reviewed-by: dsinclair Commit-Queue: Art Snake --- core/fpdfapi/parser/cpdf_parser.cpp | 1 - core/fpdfapi/parser/cpdf_parser.h | 4 +++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/core/fpdfapi/parser/cpdf_parser.cpp b/core/fpdfapi/parser/cpdf_parser.cpp index b6231a7a6a..6957c84071 100644 --- a/core/fpdfapi/parser/cpdf_parser.cpp +++ b/core/fpdfapi/parser/cpdf_parser.cpp @@ -101,7 +101,6 @@ CPDF_Parser::CPDF_Parser() m_bHasParsed(false), m_bXRefStream(false), m_FileVersion(0), - m_pEncryptDict(nullptr), m_TrailerData(pdfium::MakeUnique()) {} CPDF_Parser::~CPDF_Parser() { diff --git a/core/fpdfapi/parser/cpdf_parser.h b/core/fpdfapi/parser/cpdf_parser.h index 96bd6f43a9..a58838e5fb 100644 --- a/core/fpdfapi/parser/cpdf_parser.h +++ b/core/fpdfapi/parser/cpdf_parser.h @@ -200,11 +200,13 @@ class CPDF_Parser { bool m_bHasParsed; bool m_bXRefStream; int m_FileVersion; + // m_TrailerData must be destroyed after m_pSecurityHandler due to the + // ownership of the ID array data. + std::unique_ptr m_TrailerData; UnownedPtr m_pEncryptDict; FX_FILESIZE m_LastXRefOffset; std::unique_ptr m_pSecurityHandler; ByteString m_Password; - std::unique_ptr m_TrailerData; std::unique_ptr m_pLinearized; // A map of object numbers to indirect streams. -- cgit v1.2.3