XFA: Change the destruction order inside CPDFXFA_Document to avoid UAFs.

XFA: Change the destruction order inside CPDFXFA_Document to avoid UAFs.

R=jun_fang@foxitsoftware.com, tsepez@chromium.org

Committed: https://pdfium.googlesource.com/pdfium/+/20e25f2d6cbe4e9955a6e7c445749d5492548d76

[Lei Zhang, 2016-01-07 00:41:10]

thestig@chromium.org changed reviewers:
+ jun_fang@foxitsoftware.com, tsepez@chromium.org

[Lei Zhang, 2016-01-07 00:41:10]

The UAF is in forms accessing CPDF_Dictionary objects that are owned by
CPDF_Document, and have already been freed in the CPDF_Document dtor via
~CPDFXFA_Document -> ~CPDF_Parser -> ~CPDF_Document.

[Tom Sepez, 2016-01-07 01:01:13]

lgtm

[jun_fang, 2016-01-07 04:30:47]

https://codereview.chromium.org/1566903002/diff/20001/fpdfsdk/src/fpdfxfa/fpd...
File fpdfsdk/src/fpdfxfa/fpdfxfa_doc.cpp (right):

https://codereview.chromium.org/1566903002/diff/20001/fpdfsdk/src/fpdfxfa/fpd...
fpdfsdk/src/fpdfxfa/fpdfxfa_doc.cpp:50: m_pJSContext = nullptr;
Nit: Do we need to set m_pJSContext as nullptr in the destruction function?

https://codereview.chromium.org/1566903002/diff/20001/fpdfsdk/src/fpdfxfa/fpd...
fpdfsdk/src/fpdfxfa/fpdfxfa_doc.cpp:54: m_pSDKDoc = nullptr;
Nit: as above

https://codereview.chromium.org/1566903002/diff/20001/fpdfsdk/src/fpdfxfa/fpd...
fpdfsdk/src/fpdfxfa/fpdfxfa_doc.cpp:62: m_pPDFDoc = nullptr;
nit: as above

[jun_fang, 2016-01-07 04:31:08]

On 2016/01/07 04:30:47, jun_fang wrote:
>
https://codereview.chromium.org/1566903002/diff/20001/fpdfsdk/src/fpdfxfa/fpd...
> File fpdfsdk/src/fpdfxfa/fpdfxfa_doc.cpp (right):
> 
>
https://codereview.chromium.org/1566903002/diff/20001/fpdfsdk/src/fpdfxfa/fpd...
> fpdfsdk/src/fpdfxfa/fpdfxfa_doc.cpp:50: m_pJSContext = nullptr;
> Nit: Do we need to set m_pJSContext as nullptr in the destruction function?
> 
>
https://codereview.chromium.org/1566903002/diff/20001/fpdfsdk/src/fpdfxfa/fpd...
> fpdfsdk/src/fpdfxfa/fpdfxfa_doc.cpp:54: m_pSDKDoc = nullptr;
> Nit: as above
> 
>
https://codereview.chromium.org/1566903002/diff/20001/fpdfsdk/src/fpdfxfa/fpd...
> fpdfsdk/src/fpdfxfa/fpdfxfa_doc.cpp:62: m_pPDFDoc = nullptr;
> nit: as above

LGTM with nits.

[Lei Zhang, 2016-01-07 06:54:26]

https://codereview.chromium.org/1566903002/diff/20001/fpdfsdk/src/fpdfxfa/fpd...
File fpdfsdk/src/fpdfxfa/fpdfxfa_doc.cpp (right):

https://codereview.chromium.org/1566903002/diff/20001/fpdfsdk/src/fpdfxfa/fpd...
fpdfsdk/src/fpdfxfa/fpdfxfa_doc.cpp:50: m_pJSContext = nullptr;
On 2016/01/07 04:30:47, jun_fang wrote:
> Nit: Do we need to set m_pJSContext as nullptr in the destruction function? 

Done.

https://codereview.chromium.org/1566903002/diff/20001/fpdfsdk/src/fpdfxfa/fpd...
fpdfsdk/src/fpdfxfa/fpdfxfa_doc.cpp:54: m_pSDKDoc = nullptr;
On 2016/01/07 04:30:47, jun_fang wrote:
> Nit: as above 

Done.

https://codereview.chromium.org/1566903002/diff/20001/fpdfsdk/src/fpdfxfa/fpd...
fpdfsdk/src/fpdfxfa/fpdfxfa_doc.cpp:62: m_pPDFDoc = nullptr;
On 2016/01/07 04:30:47, jun_fang wrote:
> nit: as above

Done.

[Lei Zhang, 2016-01-07 06:54:55]

Description was changed from

==========
XFA: Change the destruction order inside CPDFXFA_Document to avoid UAFs.
==========

to

==========
XFA: Change the destruction order inside CPDFXFA_Document to avoid UAFs.

R=jun_fang@foxitsoftware.com, tsepez@chromium.org

Committed:
https://pdfium.googlesource.com/pdfium/+/20e25f2d6cbe4e9955a6e7c445749d549254...
==========

[Lei Zhang, 2016-01-07 06:54:56]

Committed patchset #3 (id:40001) manually as
20e25f2d6cbe4e9955a6e7c445749d5492548d76 (tree was closed).