From 32e693fe13105fab5baf81b334e932fce62d89b5 Mon Sep 17 00:00:00 2001
From: tsepez <tsepez@chromium.org>
Date: Thu, 4 Aug 2016 12:47:42 -0700
Subject: Fix issue when firing TimerProc() destroys timer

We must look the timer up a second time since the callback
may have released it.

BUG=634394

Review-Url: https://codereview.chromium.org/2214003003
---
 fpdfsdk/javascript/JS_Object.cpp | 29 +++++++++++++++++++----------
 1 file changed, 19 insertions(+), 10 deletions(-)

(limited to 'fpdfsdk/javascript/JS_Object.cpp')

diff --git a/fpdfsdk/javascript/JS_Object.cpp b/fpdfsdk/javascript/JS_Object.cpp
index b0a307beb1..9ec316303d 100644
--- a/fpdfsdk/javascript/JS_Object.cpp
+++ b/fpdfsdk/javascript/JS_Object.cpp
@@ -115,16 +115,25 @@ void CJS_Timer::KillJSTimer() {
 
 // static
 void CJS_Timer::TimerProc(int idEvent) {
-  const auto it = GetGlobalTimerMap()->find(idEvent);
-  if (it != GetGlobalTimerMap()->end()) {
-    CJS_Timer* pTimer = it->second;
-    if (!pTimer->m_bProcessing) {
-      CFX_AutoRestorer<bool> scoped_processing(&pTimer->m_bProcessing);
-      pTimer->m_bProcessing = true;
-      if (pTimer->m_pEmbedObj)
-        pTimer->m_pEmbedObj->TimerProc(pTimer);
-    }
-  }
+  auto it = GetGlobalTimerMap()->find(idEvent);
+  if (it == GetGlobalTimerMap()->end())
+    return;
+
+  CJS_Timer* pTimer = it->second;
+  if (pTimer->m_bProcessing)
+    return;
+
+  pTimer->m_bProcessing = true;
+  if (pTimer->m_pEmbedObj)
+    pTimer->m_pEmbedObj->TimerProc(pTimer);
+
+  // Timer proc may have destroyed timer, find it again.
+  it = GetGlobalTimerMap()->find(idEvent);
+  if (it == GetGlobalTimerMap()->end())
+    return;
+
+  pTimer = it->second;
+  pTimer->m_bProcessing = false;
 }
 
 // static
-- 
cgit v1.2.3