fpdfsdk/src/javascript/Document.cpp - Issue 1223163004: Merge to M44: Fix heap use after free in Document::DoFieldDelay and Document::delay

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: fpdfsdk/src/javascript/Document.cpp

Issue 1223163004: Merge to M44: Fix heap use after free in Document::DoFieldDelay and Document::delay (Closed) Base URL: https://pdfium.googlesource.com/pdfium@2403

Patch Set: Created 5 years, 5 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: fpdfsdk/src/javascript/Document.cpp

diff --git a/fpdfsdk/src/javascript/Document.cpp b/fpdfsdk/src/javascript/Document.cpp

index be568e10cc8e207218a9c5bd24922bf3e45bd631..4090f99b48f0a30ca75345df971d94f80d851d23 100644

--- a/fpdfsdk/src/javascript/Document.cpp

+++ b/fpdfsdk/src/javascript/Document.cpp

@@ -988,15 +988,25 @@ FX_BOOL Document::delay(IFXJS_Context* cc, CJS_PropValue& vp, CFX_WideString& sE

}

else

{

- for (int i=0,sz=m_DelayData.GetSize(); i<sz; i++)

+ CFX_ArrayTemplate<CJS_DelayData*> DelayDataToProcess;

+ for (int i=0,sz=m_DelayData.GetSize(); i < sz; i++)

{

if (CJS_DelayData* pData = m_DelayData.GetAt(i))

{

- Field::DoDelay(m_pDocument, pData);

- delete m_DelayData.GetAt(i);

+ DelayDataToProcess.Add(pData);

+ m_DelayData.SetAt(i, NULL);

}

m_DelayData.RemoveAll();

+ for (int i=0,sz=DelayDataToProcess.GetSize(); i < sz; i++)

+ {

+ CJS_DelayData* pData = DelayDataToProcess.GetAt(i);

+ Field::DoDelay(m_pDocument, pData);

+ DelayDataToProcess.SetAt(i,NULL);

+ delete pData;

+ }

}

return TRUE;

@@ -1927,6 +1937,7 @@ void Document::AddDelayData(CJS_DelayData* pData)

void Document::DoFieldDelay(const CFX_WideString& sFieldName, int nControlIndex)

{

CFX_DWordArray DelArray;

+ CFX_ArrayTemplate<CJS_DelayData*> DelayDataForFieldAndControlIndex;

for (int i=0,sz=m_DelayData.GetSize(); i<sz; i++)

{

@@ -1934,8 +1945,7 @@ void Document::DoFieldDelay(const CFX_WideString& sFieldName, int nControlIndex)

{

if (pData->sFieldName == sFieldName && pData->nControlIndex == nControlIndex)

{

- Field::DoDelay(m_pDocument, pData);

- delete pData;

+ DelayDataForFieldAndControlIndex.Add(pData);

m_DelayData.SetAt(i, NULL);

DelArray.Add(i);

}

@@ -1946,6 +1956,14 @@ void Document::DoFieldDelay(const CFX_WideString& sFieldName, int nControlIndex)

{

m_DelayData.RemoveAt(DelArray[j]);

}

+ for (int i=0,sz=DelayDataForFieldAndControlIndex.GetSize(); i < sz; i++)

+ {

+ CJS_DelayData* pData = DelayDataForFieldAndControlIndex.GetAt(i);

+ Field::DoDelay(m_pDocument, pData);

+ DelayDataForFieldAndControlIndex.SetAt(i,NULL);

+ delete pData;

+ }

}

void Document::AddDelayAnnotData(CJS_AnnotObj *pData)

« no previous file with comments | « no previous file | no next file » | no next file with comments »