From 1886471c3432dee4d9a9be5678a757dde8717652 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lu=E1=BA=ADt=20Nguy=E1=BB=85n?= Date: Tue, 10 Oct 2017 12:39:22 +0800 Subject: Fix UAF in SaveData on all of CFFL_* types. Bug: 756427 Change-Id: I8e31d96c6f3b83a6464ed69c95225362c50386d1 Reviewed-on: https://pdfium-review.googlesource.com/15870 Commit-Queue: Tom Sepez Reviewed-by: Tom Sepez --- fpdfsdk/formfiller/cffl_checkbox.cpp | 6 ++++++ fpdfsdk/formfiller/cffl_combobox.cpp | 7 ++++++- fpdfsdk/formfiller/cffl_formfiller.cpp | 5 ++++- fpdfsdk/formfiller/cffl_listbox.cpp | 9 +++++++++ fpdfsdk/formfiller/cffl_radiobutton.cpp | 6 ++++++ fpdfsdk/formfiller/cffl_textfield.cpp | 16 ++++++++++------ 6 files changed, 41 insertions(+), 8 deletions(-) (limited to 'fpdfsdk') diff --git a/fpdfsdk/formfiller/cffl_checkbox.cpp b/fpdfsdk/formfiller/cffl_checkbox.cpp index 2863a56001..e9c72efd39 100644 --- a/fpdfsdk/formfiller/cffl_checkbox.cpp +++ b/fpdfsdk/formfiller/cffl_checkbox.cpp @@ -111,9 +111,15 @@ void CFFL_CheckBox::SaveData(CPDFSDK_PageView* pPageView) { } } } + CPDFSDK_Widget::ObservedPtr observed_widget(m_pWidget.Get()); + CFFL_CheckBox::ObservedPtr observed_this(this); m_pWidget->SetCheck(bNewChecked, false); + if (!observed_widget) + return; m_pWidget->UpdateField(); + if (!observed_widget || !observed_this) + return; SetChangeMark(); } diff --git a/fpdfsdk/formfiller/cffl_combobox.cpp b/fpdfsdk/formfiller/cffl_combobox.cpp index ab34a650c5..d9b12f5d3c 100644 --- a/fpdfsdk/formfiller/cffl_combobox.cpp +++ b/fpdfsdk/formfiller/cffl_combobox.cpp @@ -108,11 +108,16 @@ void CFFL_ComboBox::SaveData(CPDFSDK_PageView* pPageView) { m_pWidget->GetSelectedIndex(0); m_pWidget->SetOptionSelection(nCurSel, true, false); } + CPDFSDK_Widget::ObservedPtr observed_widget(m_pWidget.Get()); + CFFL_ComboBox::ObservedPtr observed_this(this); m_pWidget->ResetFieldAppearance(true); + if (!observed_widget) + return; m_pWidget->UpdateField(); + if (!observed_widget || !observed_this) + return; SetChangeMark(); - m_pWidget->GetPDFPage(); } diff --git a/fpdfsdk/formfiller/cffl_formfiller.cpp b/fpdfsdk/formfiller/cffl_formfiller.cpp index 1ed7ffa420..8f48c029da 100644 --- a/fpdfsdk/formfiller/cffl_formfiller.cpp +++ b/fpdfsdk/formfiller/cffl_formfiller.cpp @@ -491,7 +491,10 @@ bool CFFL_FormFiller::CommitData(CPDFSDK_PageView* pPageView, uint32_t nFlag) { if (!pObserved) return false; - SaveData(pPageView); + SaveData(pPageView); // may invoking JS to delete this widget. + if (!pObserved) + return false; + pFormFiller->OnCalculate(&pObserved, pPageView, nFlag); if (!pObserved) return false; diff --git a/fpdfsdk/formfiller/cffl_listbox.cpp b/fpdfsdk/formfiller/cffl_listbox.cpp index 9dad11d3a0..e628e59cb8 100644 --- a/fpdfsdk/formfiller/cffl_listbox.cpp +++ b/fpdfsdk/formfiller/cffl_listbox.cpp @@ -117,9 +117,18 @@ void CFFL_ListBox::SaveData(CPDFSDK_PageView* pPageView) { } else { m_pWidget->SetOptionSelection(pListBox->GetCurSel(), true, false); } + CPDFSDK_Widget::ObservedPtr observed_widget(m_pWidget.Get()); + CFFL_ListBox::ObservedPtr observed_this(this); + m_pWidget->SetTopVisibleIndex(nNewTopIndex); + if (!observed_widget) + return; m_pWidget->ResetFieldAppearance(true); + if (!observed_widget) + return; m_pWidget->UpdateField(); + if (!observed_widget || !observed_this) + return; SetChangeMark(); } diff --git a/fpdfsdk/formfiller/cffl_radiobutton.cpp b/fpdfsdk/formfiller/cffl_radiobutton.cpp index f8ada67ff3..73ac44de46 100644 --- a/fpdfsdk/formfiller/cffl_radiobutton.cpp +++ b/fpdfsdk/formfiller/cffl_radiobutton.cpp @@ -102,9 +102,15 @@ void CFFL_RadioButton::SaveData(CPDFSDK_PageView* pPageView) { } } } + CPDFSDK_Widget::ObservedPtr observed_widget(m_pWidget.Get()); + CFFL_RadioButton::ObservedPtr observed_this(this); m_pWidget->SetCheck(bNewChecked, false); + if (!observed_widget) + return; m_pWidget->UpdateField(); + if (!observed_widget || !observed_this) + return; SetChangeMark(); } diff --git a/fpdfsdk/formfiller/cffl_textfield.cpp b/fpdfsdk/formfiller/cffl_textfield.cpp index 4174ae4179..ad8d27c916 100644 --- a/fpdfsdk/formfiller/cffl_textfield.cpp +++ b/fpdfsdk/formfiller/cffl_textfield.cpp @@ -141,13 +141,17 @@ void CFFL_TextField::SaveData(CPDFSDK_PageView* pPageView) { CPDFSDK_Widget::ObservedPtr observed_widget(m_pWidget.Get()); CFFL_TextField::ObservedPtr observed_this(this); + m_pWidget->SetValue(sNewValue, false); - if (observed_widget) - m_pWidget->ResetFieldAppearance(true); - if (observed_widget) - m_pWidget->UpdateField(); - if (observed_this) - SetChangeMark(); + if (!observed_widget) + return; + m_pWidget->ResetFieldAppearance(true); + if (!observed_widget) + return; + m_pWidget->UpdateField(); + if (!observed_widget || !observed_this) + return; + SetChangeMark(); } void CFFL_TextField::GetActionData(CPDFSDK_PageView* pPageView, -- cgit v1.2.3