fpdfsdk/src/javascript/Document.cpp - Issue 1223163004: Merge to M44: Fix heap use after free in Document::DoFieldDelay and Document::delay

Side by Side Diff: fpdfsdk/src/javascript/Document.cpp

Issue 1223163004: Merge to M44: Fix heap use after free in Document::DoFieldDelay and Document::delay (Closed) Base URL: https://pdfium.googlesource.com/pdfium@2403

Patch Set: Created 5 years, 5 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

OLD	NEW
1 // Copyright 2014 PDFium Authors. All rights reserved.	1 // Copyright 2014 PDFium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 // Original code copyright 2014 Foxit Software Inc. http://www.foxitsoftware.com	5 // Original code copyright 2014 Foxit Software Inc. http://www.foxitsoftware.com

6	6

7 #include "../../include/javascript/JavaScript.h"	7 #include "../../include/javascript/JavaScript.h"

8 #include "../../include/javascript/IJavaScript.h"	8 #include "../../include/javascript/IJavaScript.h"

9 #include "../../include/javascript/JS_Define.h"	9 #include "../../include/javascript/JS_Define.h"

10 #include "../../include/javascript/JS_Object.h"	10 #include "../../include/javascript/JS_Object.h"

(...skipping 970 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
981	981

982 if (m_bDelay)	982 if (m_bDelay)

983 {	983 {

984 for (int i=0,sz=m_DelayData.GetSize(); i<sz; i++)	984 for (int i=0,sz=m_DelayData.GetSize(); i<sz; i++)

985 delete m_DelayData.GetAt(i);	985 delete m_DelayData.GetAt(i);

986	986

987 m_DelayData.RemoveAll();	987 m_DelayData.RemoveAll();

988 }	988 }

989 else	989 else

990 {	990 {

991 » » » for (int i=0,sz=m_DelayData.GetSize(); i<sz; i++)	991 » » » CFX_ArrayTemplate<CJS_DelayData*> DelayDataToProcess;

	992

	993 » » » for (int i=0,sz=m_DelayData.GetSize(); i < sz; i++)

992 {	994 {

993 if (CJS_DelayData* pData = m_DelayData.GetAt(i))	995 if (CJS_DelayData* pData = m_DelayData.GetAt(i))

994 {	996 {

995 » » » » » Field::DoDelay(m_pDocument, pData);	997 » » » » » DelayDataToProcess.Add(pData);

996 » » » » » delete m_DelayData.GetAt(i);	998 » » » » » m_DelayData.SetAt(i, NULL);

997 }	999 }

998 }	1000 }

999 m_DelayData.RemoveAll();	1001 m_DelayData.RemoveAll();

	1002

	1003 for (int i=0,sz=DelayDataToProcess.GetSize(); i < sz; i+ +)

	1004 {

	1005 CJS_DelayData* pData = DelayDataToProcess.GetAt( i);

	1006 Field::DoDelay(m_pDocument, pData);

	1007 DelayDataToProcess.SetAt(i,NULL);

	1008 delete pData;

	1009 }

1000 }	1010 }

1001	1011

1002 return TRUE;	1012 return TRUE;

1003 }	1013 }

1004 }	1014 }

1005	1015

1006 FX_BOOL Document::keywords(IFXJS_Context* cc, CJS_PropValue& vp, CFX_WideString& sError)	1016 FX_BOOL Document::keywords(IFXJS_Context* cc, CJS_PropValue& vp, CFX_WideString& sError)

1007 {	1017 {

1008 ASSERT(m_pDocument != NULL);	1018 ASSERT(m_pDocument != NULL);

1009	1019

(...skipping 910 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
1920 }	1930 }

1921	1931

1922 void Document::AddDelayData(CJS_DelayData* pData)	1932 void Document::AddDelayData(CJS_DelayData* pData)

1923 {	1933 {

1924 m_DelayData.Add(pData);	1934 m_DelayData.Add(pData);

1925 }	1935 }

1926	1936

1927 void Document::DoFieldDelay(const CFX_WideString& sFieldName, int nControlIndex)	1937 void Document::DoFieldDelay(const CFX_WideString& sFieldName, int nControlIndex)

1928 {	1938 {

1929 CFX_DWordArray DelArray;	1939 CFX_DWordArray DelArray;

	1940 CFX_ArrayTemplate<CJS_DelayData*> DelayDataForFieldAndControlIndex;

1930	1941

1931 for (int i=0,sz=m_DelayData.GetSize(); i<sz; i++)	1942 for (int i=0,sz=m_DelayData.GetSize(); i<sz; i++)

1932 {	1943 {

1933 if (CJS_DelayData* pData = m_DelayData.GetAt(i))	1944 if (CJS_DelayData* pData = m_DelayData.GetAt(i))

1934 {	1945 {

1935 if (pData->sFieldName == sFieldName && pData->nControlIn dex == nControlIndex)	1946 if (pData->sFieldName == sFieldName && pData->nControlIn dex == nControlIndex)

1936 {	1947 {

1937 » » » » Field::DoDelay(m_pDocument, pData);	1948 » » » » DelayDataForFieldAndControlIndex.Add(pData);

1938 » » » » delete pData;

1939 m_DelayData.SetAt(i, NULL);	1949 m_DelayData.SetAt(i, NULL);

1940 DelArray.Add(i);	1950 DelArray.Add(i);

1941 }	1951 }

1942 }	1952 }

1943 }	1953 }

1944	1954

1945 for (int j=DelArray.GetSize()-1; j>=0; j--)	1955 for (int j=DelArray.GetSize()-1; j>=0; j--)

1946 {	1956 {

1947 m_DelayData.RemoveAt(DelArray[j]);	1957 m_DelayData.RemoveAt(DelArray[j]);

1948 }	1958 }

	1959

	1960 for (int i=0,sz=DelayDataForFieldAndControlIndex.GetSize(); i < sz; i++)

	1961 {

	1962 CJS_DelayData* pData = DelayDataForFieldAndControlIndex.GetAt(i) ;

	1963 Field::DoDelay(m_pDocument, pData);

	1964 DelayDataForFieldAndControlIndex.SetAt(i,NULL);

	1965 delete pData;

	1966 }

1949 }	1967 }

1950	1968

1951 void Document::AddDelayAnnotData(CJS_AnnotObj *pData)	1969 void Document::AddDelayAnnotData(CJS_AnnotObj *pData)

1952 {	1970 {

1953 m_DelayAnnotData.Add(pData);	1971 m_DelayAnnotData.Add(pData);

1954 }	1972 }

1955	1973

1956 void Document::DoAnnotDelay()	1974 void Document::DoAnnotDelay()

1957 {	1975 {

1958 CFX_DWordArray DelArray;	1976 CFX_DWordArray DelArray;

1959	1977

1960 for (int j=DelArray.GetSize()-1; j>=0; j--)	1978 for (int j=DelArray.GetSize()-1; j>=0; j--)

1961 {	1979 {

1962 m_DelayData.RemoveAt(DelArray[j]);	1980 m_DelayData.RemoveAt(DelArray[j]);

1963 }	1981 }

1964 }	1982 }

1965	1983

1966 CJS_Document* Document::GetCJSDoc() const	1984 CJS_Document* Document::GetCJSDoc() const

1967 {	1985 {

1968 return static_cast<CJS_Document*>(m_pJSObject);	1986 return static_cast<CJS_Document*>(m_pJSObject);

1969 }	1987 }

1970	1988

OLD	NEW

« no previous file with comments | « no previous file | no next file » | no next file with comments »