From d2e27d660a96080882e43825fb4b5d03e8a4d05a Mon Sep 17 00:00:00 2001
From: Tom Sepez <tsepez@chromium.org>
Date: Mon, 15 Oct 2018 21:57:32 +0000
Subject: Clone dict before iteration in CJS_Document::get_info

Bug: 895152
Change-Id: I678350841892f88a5d580b58a33a639a1b6ec305
Reviewed-on: https://pdfium-review.googlesource.com/c/44050
Reviewed-by: Lei Zhang <thestig@chromium.org>
Commit-Queue: Tom Sepez <tsepez@chromium.org>
---
 fxjs/cjs_document.cpp | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

(limited to 'fxjs')

diff --git a/fxjs/cjs_document.cpp b/fxjs/cjs_document.cpp
index f682ffd636..adf36be403 100644
--- a/fxjs/cjs_document.cpp
+++ b/fxjs/cjs_document.cpp
@@ -740,8 +740,9 @@ CJS_Result CJS_Document::get_info(CJS_Runtime* pRuntime) {
   pRuntime->PutObjectProperty(pObj, L"Trapped",
                               pRuntime->NewString(cwTrapped.AsStringView()));
 
-  // It's to be compatible to non-standard info dictionary.
-  for (const auto& it : *pDictionary) {
+  // PutObjectProperty() calls below may re-enter JS and change info dict.
+  auto pCopy = pDictionary->Clone();
+  for (const auto& it : *ToDictionary(pCopy.get())) {
     const ByteString& bsKey = it.first;
     CPDF_Object* pValueObj = it.second.get();
     WideString wsKey = WideString::FromUTF8(bsKey.AsStringView());
-- 
cgit v1.2.3