From e6a6561b80e73347dd3a7bf660196455f154b573 Mon Sep 17 00:00:00 2001
From: dsinclair <dsinclair@chromium.org>
Date: Tue, 19 Jul 2016 10:15:23 -0700
Subject: Reset notify parameter in CPWL_ListBox OnDestroy().

Currently the OnDestroy() method of CPWL_ListBox will free
the |m_pListNotify| but it does not update the |m_pList| that
it has done so. This causes issues when CPWL_ListBox is
destroyed as the destructor for |m_pList| will attempt to
call into the |m_pListNotify|.

This CL resets the |m_pList| notify parameter before we
clear |m_pListNotify| in OnDestroy so it will not be
accessed during the |m_pList| destructor.

BUG=628995

Review-Url: https://codereview.chromium.org/2160023002
---
 fpdfsdk/pdfwindow/PWL_ListBox.cpp | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/fpdfsdk/pdfwindow/PWL_ListBox.cpp b/fpdfsdk/pdfwindow/PWL_ListBox.cpp
index e8c1f82bde..c8a554b0f8 100644
--- a/fpdfsdk/pdfwindow/PWL_ListBox.cpp
+++ b/fpdfsdk/pdfwindow/PWL_ListBox.cpp
@@ -94,6 +94,10 @@ void CPWL_ListBox::OnCreated() {
 }
 
 void CPWL_ListBox::OnDestroy() {
+  // Make sure the notifier is removed from the list as we are about to
+  // destroy the notifier and don't want to leave a dangling pointer.
+  if (m_pList)
+    m_pList->SetNotify(nullptr);
   m_pListNotify.reset();
 }
 
-- 
cgit v1.2.3