PDF: Fix uninit memory access in PDFiumEngine.

pdf/pdfium/pdfium_engine.h

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef PDF_PDFIUM_PDFIUM_ENGINE_H_
 #define PDF_PDFIUM_PDFIUM_ENGINE_H_
 
 #include <map>
 #include <string>
 #include <utility>
@@ skipping 113 matching lines @@
     // rectangles, in screen coordinates.
     void GetVisibleSelectionsScreenRects(std::vector<pp::Rect>* rects);
 
     PDFiumEngine* engine_;
     // Screen rectangles that were selected on construction.
     std::vector<pp::Rect> old_selections_;
     // The origin at the time this object was constructed.
     pp::Point previous_origin_;
   };
 
+  // Used to store mouse down state to handle it in other mouse event handlers.
+  class MouseDownState {
+   public:
+    MouseDownState(const PDFiumPage::Area& area,
+                   const PDFiumPage::LinkTarget& target);
+    ~MouseDownState();
+
+    void Set(const PDFiumPage::Area& area,
+             const PDFiumPage::LinkTarget& target);
+    void Reset();
+    bool Matches(const PDFiumPage::Area& area,
+                 const PDFiumPage::LinkTarget& target) const;
+
+   private:
+    PDFiumPage::Area area_;
+    PDFiumPage::LinkTarget target_;
+
+    DISALLOW_COPY_AND_ASSIGN(MouseDownState);
+  };
+
   friend class SelectionChangeInvalidator;
 
   struct FileAvail : public FX_FILEAVAIL {
     DocumentLoader* loader;
   };
 
   struct DownloadHints : public FX_DOWNLOADHINTS {
     DocumentLoader* loader;
   };
 
@@ skipping 358 matching lines @@
   // code still has a pointer to it.
   bool defer_page_unload_;
   std::vector<int> deferred_page_unloads_;
 
   // Used for selection.  There could be more than one range if selection spans
   // more than one page.
   std::vector<PDFiumRange> selection_;
   // True if we're in the middle of selection.
   bool selecting_;
 
-  // Used to store mouse down state to handle it in other mouse event handlers.
-  struct MouseDownState {

[Lei Zhang, 2014/09/12 22:49:04]

non-trivial struct/class -> class

-    MouseDownState() {};

[Lei Zhang, 2014/09/12 22:49:04]

didn't initialize |area_| or |target_| -> :(

-    MouseDownState(PDFiumPage::Area area, PDFiumPage::LinkTarget target)
-        : area_(area), target_(target) {};
-    PDFiumPage::Area area_;
-    PDFiumPage::LinkTarget target_;
-
-    bool operator==(const MouseDownState& rhs) const {
-      return (area_ == rhs.area_) && (target_.url == rhs.target_.url);

[Lei Zhang, 2014/09/12 22:49:04]

what about target_.page ??

-    }
-
-    bool operator!=(const MouseDownState rhs) const {

[Lei Zhang, 2014/09/12 22:49:04]

const ref

-      return (area_ != rhs.area_) || (target_.url != rhs.target_.url);

[Lei Zhang, 2014/09/12 22:49:04]

As written, this could have just been: return !(*this == rhs)

-    }
-  };
   MouseDownState mouse_down_state_;
 
   // Used for searching.
   typedef std::vector<PDFiumRange> FindResults;
   FindResults find_results_;
   // Which page to search next.
   int next_page_to_search_;
   // Where to stop searching.
   int last_page_to_search_;
   int last_character_index_to_search_;  // -1 if search until end of page.
@@ skipping 105 matching lines @@
 
   // See the definition of GetPDFPageSizeByIndex in pdf.cc for details.
   virtual bool GetPDFPageSizeByIndex(const void* pdf_buffer,
                                      int pdf_buffer_size, int page_number,
                                      double* width, double* height);
 };
 
 }  // namespace chrome_pdf
 
 #endif  // PDF_PDFIUM_PDFIUM_ENGINE_H_