From b02012d565e2596c79c41c6fbf7f2ed88c4bbc51 Mon Sep 17 00:00:00 2001 From: jinming_wang Date: Wed, 20 Apr 2016 08:37:21 +0800 Subject: fix issue of Heap Use-After-Free in CXFA_LayoutItem::AddChild BUG=chromium:590711 R=tsepez@chromium.org Review URL: https://codereview.chromium.org/1901013002 . --- xfa/fxfa/parser/xfa_layout_itemlayout.cpp | 42 ++++++++++++++++--------------- 1 file changed, 22 insertions(+), 20 deletions(-) diff --git a/xfa/fxfa/parser/xfa_layout_itemlayout.cpp b/xfa/fxfa/parser/xfa_layout_itemlayout.cpp index 1d3e31e276..b5d3bff885 100644 --- a/xfa/fxfa/parser/xfa_layout_itemlayout.cpp +++ b/xfa/fxfa/parser/xfa_layout_itemlayout.cpp @@ -545,27 +545,29 @@ void CXFA_LayoutItem::RemoveChild(CXFA_LayoutItem* pChildItem) { CXFA_ContentLayoutItem* CXFA_ItemLayoutProcessor::ExtractLayoutItem() { CXFA_ContentLayoutItem* pLayoutItem = m_pLayoutItem; if (pLayoutItem) { - m_pLayoutItem = (CXFA_ContentLayoutItem*)pLayoutItem->m_pNextSibling; - pLayoutItem->m_pNextSibling = NULL; - } - if (m_nCurChildNodeStage == XFA_ItemLayoutProcessorStages_Done && - ToContentLayoutItem(m_pOldLayoutItem)) { - if (m_pOldLayoutItem->m_pPrev) { - m_pOldLayoutItem->m_pPrev->m_pNext = NULL; - } - CXFA_FFNotify* pNotify = - m_pOldLayoutItem->m_pFormNode->GetDocument()->GetParser()->GetNotify(); - CXFA_LayoutProcessor* pDocLayout = - m_pOldLayoutItem->m_pFormNode->GetDocument()->GetDocLayout(); - CXFA_ContentLayoutItem* pOldLayoutItem = m_pOldLayoutItem; - while (pOldLayoutItem) { - CXFA_ContentLayoutItem* pNextOldLayoutItem = pOldLayoutItem->m_pNext; - pNotify->OnLayoutItemRemoving(pDocLayout, pOldLayoutItem); - delete pOldLayoutItem; - pOldLayoutItem = pNextOldLayoutItem; - } - m_pOldLayoutItem = NULL; + m_pLayoutItem = + static_cast(pLayoutItem->m_pNextSibling); + pLayoutItem->m_pNextSibling = nullptr; } + if (m_nCurChildNodeStage != XFA_ItemLayoutProcessorStages_Done || + !ToContentLayoutItem(m_pOldLayoutItem)) + return pLayoutItem; + if (m_pOldLayoutItem->m_pPrev) + m_pOldLayoutItem->m_pPrev->m_pNext = nullptr; + CXFA_FFNotify* pNotify = + m_pOldLayoutItem->m_pFormNode->GetDocument()->GetParser()->GetNotify(); + CXFA_LayoutProcessor* pDocLayout = + m_pOldLayoutItem->m_pFormNode->GetDocument()->GetDocLayout(); + CXFA_ContentLayoutItem* pOldLayoutItem = m_pOldLayoutItem; + while (pOldLayoutItem) { + CXFA_ContentLayoutItem* pNextOldLayoutItem = pOldLayoutItem->m_pNext; + pNotify->OnLayoutItemRemoving(pDocLayout, pOldLayoutItem); + if (pOldLayoutItem->m_pParent) + pOldLayoutItem->m_pParent->RemoveChild(pOldLayoutItem); + delete pOldLayoutItem; + pOldLayoutItem = pNextOldLayoutItem; + } + m_pOldLayoutItem = nullptr; return pLayoutItem; } static FX_BOOL XFA_ItemLayoutProcessor_FindBreakNode( -- cgit v1.2.3