From 1886471c3432dee4d9a9be5678a757dde8717652 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lu=E1=BA=ADt=20Nguy=E1=BB=85n?= <manhluat93.php@gmail.com>
Date: Tue, 10 Oct 2017 12:39:22 +0800
Subject: Fix UAF in SaveData on all of CFFL_* types.

Bug: 756427
Change-Id: I8e31d96c6f3b83a6464ed69c95225362c50386d1
Reviewed-on: https://pdfium-review.googlesource.com/15870
Commit-Queue: Tom Sepez <tsepez@chromium.org>
Reviewed-by: Tom Sepez <tsepez@chromium.org>
---
 fpdfsdk/formfiller/cffl_radiobutton.cpp | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'fpdfsdk/formfiller/cffl_radiobutton.cpp')

diff --git a/fpdfsdk/formfiller/cffl_radiobutton.cpp b/fpdfsdk/formfiller/cffl_radiobutton.cpp
index f8ada67ff3..73ac44de46 100644
--- a/fpdfsdk/formfiller/cffl_radiobutton.cpp
+++ b/fpdfsdk/formfiller/cffl_radiobutton.cpp
@@ -102,9 +102,15 @@ void CFFL_RadioButton::SaveData(CPDFSDK_PageView* pPageView) {
       }
     }
   }
+  CPDFSDK_Widget::ObservedPtr observed_widget(m_pWidget.Get());
+  CFFL_RadioButton::ObservedPtr observed_this(this);
 
   m_pWidget->SetCheck(bNewChecked, false);
+  if (!observed_widget)
+    return;
   m_pWidget->UpdateField();
+  if (!observed_widget || !observed_this)
+    return;
   SetChangeMark();
 }
 
-- 
cgit v1.2.3