Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(275)

Issues Search
    My Issues | Starred     Open | Closed | All

Issue 1223163004: Merge to M44: Fix heap use after free in Document::DoFieldDelay and Document::delay (Closed)

Created:
5 years, 5 months ago by Lei Zhang
Modified:
5 years, 5 months ago
Reviewers:
Tom Sepez
CC:
pdfium-reviews_googlegroups.com
Base URL:
https://pdfium.googlesource.com/pdfium@2403
Target Ref:
refs/heads/chromium/2403
Visibility:
Public.

Description

Merge to M44: Fix heap use after free in Document::DoFieldDelay and Document::delay This fix removes CJS_DelayData object from m_DelayData array and copies them to a new array, before processing them. So contents of m_DelayData array cannot be used after they get freed. BUG=487928 R=tsepez@chromium.org TEST= Chrome pdf plugin should not crash when poc_stable,testuafdocument1.pdf and testuafdocument2.pdf are viewed. see crbug.com/487928 and crbug.com/487928#c18 for more details. Review URL: https://codereview.chromium.org/1163823002 (cherry picked from commit 4ff7a4246c81a71b4f878e959b3ca304cd76ec8a) Committed: https://pdfium.googlesource.com/pdfium/+/6b8572240975fd479c176b25f5ab45c92ea090eb

Patch Set 1 #

Unified diffs Side-by-side diffs Delta from patch set Stats (+23 lines, -5 lines) Patch
M fpdfsdk/src/javascript/Document.cpp View 4 chunks +23 lines, -5 lines 0 comments Download

Messages

Total messages: 2 (0 generated)
Lei Zhang
TBR
5 years, 5 months ago (2015-07-13 21:20:24 UTC) #1
Lei Zhang
5 years, 5 months ago (2015-07-13 21:20:55 UTC) #2
Message was sent while issue was closed. 
Committed patchset #1 (id:1) manually as
6b8572240975fd479c176b25f5ab45c92ea090eb (presubmit successful).

Powered by Google App Engine
This is Rietveld 408576698