Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(280)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: xfa/fxfa/parser/xfa_layout_itemlayout.cpp

Issue 1901013002: fix issue of Heap Use-After-Free in CXFA_LayoutItem::AddChild (Closed) Base URL: https://pdfium.googlesource.com/pdfium.git@master
Patch Set: Created 4 years, 8 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « no previous file | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2014 PDFium Authors. All rights reserved. 1 // Copyright 2014 PDFium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 // Original code copyright 2014 Foxit Software Inc. http://www.foxitsoftware.com 5 // Original code copyright 2014 Foxit Software Inc. http://www.foxitsoftware.com
6 6
7 #include "xfa/fxfa/parser/xfa_layout_itemlayout.h" 7 #include "xfa/fxfa/parser/xfa_layout_itemlayout.h"
8 8
9 #include <algorithm> 9 #include <algorithm>
10 #include <memory> 10 #include <memory>
(...skipping 528 matching lines...) Expand 10 before | Expand all | Expand 10 after
539 if (pExistingChildItem) { 539 if (pExistingChildItem) {
540 pExistingChildItem->m_pNextSibling = pChildItem->m_pNextSibling; 540 pExistingChildItem->m_pNextSibling = pChildItem->m_pNextSibling;
541 } 541 }
542 } 542 }
543 pChildItem->m_pNextSibling = NULL; 543 pChildItem->m_pNextSibling = NULL;
544 pChildItem->m_pParent = NULL; 544 pChildItem->m_pParent = NULL;
545 } 545 }
546 CXFA_ContentLayoutItem* CXFA_ItemLayoutProcessor::ExtractLayoutItem() { 546 CXFA_ContentLayoutItem* CXFA_ItemLayoutProcessor::ExtractLayoutItem() {
547 CXFA_ContentLayoutItem* pLayoutItem = m_pLayoutItem; 547 CXFA_ContentLayoutItem* pLayoutItem = m_pLayoutItem;
548 if (pLayoutItem) { 548 if (pLayoutItem) {
549 m_pLayoutItem = (CXFA_ContentLayoutItem*)pLayoutItem->m_pNextSibling; 549 m_pLayoutItem =
550 pLayoutItem->m_pNextSibling = NULL; 550 static_cast<CXFA_ContentLayoutItem*>(pLayoutItem->m_pNextSibling);
551 pLayoutItem->m_pNextSibling = nullptr;
551 } 552 }
552 if (m_nCurChildNodeStage == XFA_ItemLayoutProcessorStages_Done && 553 if (m_nCurChildNodeStage != XFA_ItemLayoutProcessorStages_Done ||
553 ToContentLayoutItem(m_pOldLayoutItem)) { 554 !ToContentLayoutItem(m_pOldLayoutItem))
554 if (m_pOldLayoutItem->m_pPrev) { 555 return pLayoutItem;
555 m_pOldLayoutItem->m_pPrev->m_pNext = NULL; 556 if (m_pOldLayoutItem->m_pPrev)
556 } 557 m_pOldLayoutItem->m_pPrev->m_pNext = nullptr;
557 CXFA_FFNotify* pNotify = 558 CXFA_FFNotify* pNotify =
558 m_pOldLayoutItem->m_pFormNode->GetDocument()->GetParser()->GetNotify(); 559 m_pOldLayoutItem->m_pFormNode->GetDocument()->GetParser()->GetNotify();
559 CXFA_LayoutProcessor* pDocLayout = 560 CXFA_LayoutProcessor* pDocLayout =
560 m_pOldLayoutItem->m_pFormNode->GetDocument()->GetDocLayout(); 561 m_pOldLayoutItem->m_pFormNode->GetDocument()->GetDocLayout();
561 CXFA_ContentLayoutItem* pOldLayoutItem = m_pOldLayoutItem; 562 CXFA_ContentLayoutItem* pOldLayoutItem = m_pOldLayoutItem;
562 while (pOldLayoutItem) { 563 while (pOldLayoutItem) {
563 CXFA_ContentLayoutItem* pNextOldLayoutItem = pOldLayoutItem->m_pNext; 564 CXFA_ContentLayoutItem* pNextOldLayoutItem = pOldLayoutItem->m_pNext;
564 pNotify->OnLayoutItemRemoving(pDocLayout, pOldLayoutItem); 565 pNotify->OnLayoutItemRemoving(pDocLayout, pOldLayoutItem);
565 delete pOldLayoutItem; 566 if (pOldLayoutItem->m_pParent)
566 pOldLayoutItem = pNextOldLayoutItem; 567 pOldLayoutItem->m_pParent->RemoveChild(pOldLayoutItem);
567 } 568 delete pOldLayoutItem;
568 m_pOldLayoutItem = NULL; 569 pOldLayoutItem = pNextOldLayoutItem;
569 } 570 }
571 m_pOldLayoutItem = nullptr;
570 return pLayoutItem; 572 return pLayoutItem;
571 } 573 }
572 static FX_BOOL XFA_ItemLayoutProcessor_FindBreakNode( 574 static FX_BOOL XFA_ItemLayoutProcessor_FindBreakNode(
573 CXFA_Node* pContainerNode, 575 CXFA_Node* pContainerNode,
574 CXFA_Node*& pCurActionNode, 576 CXFA_Node*& pCurActionNode,
575 XFA_ItemLayoutProcessorStages& nCurStage, 577 XFA_ItemLayoutProcessorStages& nCurStage,
576 FX_BOOL bBreakBefore) { 578 FX_BOOL bBreakBefore) {
577 FX_BOOL bFindRs = FALSE; 579 FX_BOOL bFindRs = FALSE;
578 for (CXFA_Node* pBreakNode = pContainerNode; pBreakNode; 580 for (CXFA_Node* pBreakNode = pContainerNode; pBreakNode;
579 pBreakNode = pBreakNode->GetNodeItem(XFA_NODEITEM_NextSibling)) { 581 pBreakNode = pBreakNode->GetNodeItem(XFA_NODEITEM_NextSibling)) {
(...skipping 2382 matching lines...) Expand 10 before | Expand all | Expand 10 after
2962 (int32_t)(uintptr_t)m_PendingNodesCount.GetValueAt(pTemplate); 2964 (int32_t)(uintptr_t)m_PendingNodesCount.GetValueAt(pTemplate);
2963 if (iCount >= iMax) { 2965 if (iCount >= iMax) {
2964 return FALSE; 2966 return FALSE;
2965 } 2967 }
2966 iCount++; 2968 iCount++;
2967 m_PendingNodesCount.SetAt(pTemplate, (void*)(uintptr_t)(iCount)); 2969 m_PendingNodesCount.SetAt(pTemplate, (void*)(uintptr_t)(iCount));
2968 return TRUE; 2970 return TRUE;
2969 } 2971 }
2970 return TRUE; 2972 return TRUE;
2971 } 2973 }
OLDNEW
« no previous file with comments | « no previous file | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698