From 55469aed5acffcce3259d37418ba9e8b8e60d801 Mon Sep 17 00:00:00 2001 From: Henrique Nakashima Date: Wed, 4 Oct 2017 11:08:45 -0400 Subject: Fix UAF in SetVisible(). SetVisible() may be called during Destroy() which may be called during SetVisible(). This fixes the latest in a family of bugs that happen after an instance is freed by code triggered by JS code while it's executing a method. The CL has a lot of protection for many of these points where JS may be executed and potentially destroy objects. The return types of many methods that may execute JS have been changed to bool, indicating whether the instance is still alive after the call. Bug: chromium:770148 Change-Id: If5a9db4d8d6aac10f4dd6b645922bb96c116684d Reviewed-on: https://pdfium-review.googlesource.com/15190 Reviewed-by: dsinclair Commit-Queue: Henrique Nakashima --- fpdfsdk/pwl/cpwl_list_box.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'fpdfsdk/pwl/cpwl_list_box.h') diff --git a/fpdfsdk/pwl/cpwl_list_box.h b/fpdfsdk/pwl/cpwl_list_box.h index fec4d63a0c..7cfdd18e93 100644 --- a/fpdfsdk/pwl/cpwl_list_box.h +++ b/fpdfsdk/pwl/cpwl_list_box.h @@ -61,7 +61,7 @@ class CPWL_ListBox : public CPWL_Wnd { void SetScrollInfo(const PWL_SCROLL_INFO& info) override; void SetScrollPosition(float pos) override; void ScrollWindowVertically(float pos) override; - void RePosChildWnd() override; + bool RePosChildWnd() override; CFX_FloatRect GetFocusRect() const override; void SetFontSize(float fFontSize) override; float GetFontSize() const override; -- cgit v1.2.3