Google Git
Sign in
pdfium/pdfium.git/689a47976f8cf260df674e7579d0d53d2e43e4b3^!/.
commit
689a47976f8cf260df674e7579d0d53d2e43e4b3
[log]
author
Lei Zhang <thestig@chromium.org>
Fri Feb 21 00:45:39 2020 +0000
committer
Chromium commit bot <commit-bot@chromium.org>
Fri Feb 21 00:45:39 2020 +0000
tree
fcccdf86d4eef28a12f3aa4e623b5f3aa29fce12
parent
09e4c8ef18461a3b1ae30940bc37d4607c5bd873 [diff]
Observe CPDFSDK_PageView inside ExitWidget().

ExitWidget() can trigger the deletion of caller. Use an ObserverPtr to
check for this and bail out safely.

Bug: chromium:1026991
Change-Id: If27c1b02a0d6f3bb39c999a85366e393fa150687
Reviewed-on: https://pdfium-review.googlesource.com/c/pdfium/+/66815
Commit-Queue: Lei Zhang <thestig@chromium.org>
Reviewed-by: Tom Sepez <tsepez@chromium.org>

diff --git a/fpdfsdk/cpdfsdk_pageview.cpp b/fpdfsdk/cpdfsdk_pageview.cpp
index 732bd49..b32fbea 100644
--- a/fpdfsdk/cpdfsdk_pageview.cpp
+++ b/fpdfsdk/cpdfsdk_pageview.cpp

@@ -403,12 +403,19 @@
                                   bool callExitCallback,
                                   uint32_t nFlag) {
   m_bOnWidget = false;
-  if (m_pCaptureWidget) {
-    if (callExitCallback)
-      pAnnotHandlerMgr->Annot_OnMouseExit(this, &m_pCaptureWidget, nFlag);
+  if (!m_pCaptureWidget)
+    return;
 
-    m_pCaptureWidget.Reset();
+  if (callExitCallback) {
+    ObservedPtr<CPDFSDK_PageView> pThis(this);
+    pAnnotHandlerMgr->Annot_OnMouseExit(this, &m_pCaptureWidget, nFlag);
+
+    // Annot_OnMouseExit() may have invalidated |this|.
+    if (!pThis)
+      return;
   }
+
+  m_pCaptureWidget.Reset();
 }
 
 bool CPDFSDK_PageView::OnMouseWheel(double deltaX,

diff --git a/testing/resources/javascript/xfa_specific/bug_1026991.evt b/testing/resources/javascript/xfa_specific/bug_1026991.evt
new file mode 100644
index 0000000..37d9022
--- /dev/null
+++ b/testing/resources/javascript/xfa_specific/bug_1026991.evt

@@ -0,0 +1,5 @@
+mousemove,0,0
+mousedown,left,0,0
+mouseup,left,0,0
+charcode,80
+mousemove,0,200
\ No newline at end of file

diff --git a/testing/resources/javascript/xfa_specific/bug_1026991.in b/testing/resources/javascript/xfa_specific/bug_1026991.in
new file mode 100644
index 0000000..4fb7657
--- /dev/null
+++ b/testing/resources/javascript/xfa_specific/bug_1026991.in

@@ -0,0 +1,65 @@
+{{header}}
+{{object 1 0}} <<
+  /Type /Catalog
+  /Pages 2 0 R
+  /AcroForm <<
+    /XFA 4 0 R
+  >>
+>>
+endobj
+{{object 2 0}} <<
+  /Type /Pages
+  /Count 1
+  /Kids [3 0 R]
+>>
+endobj
+{{object 3 0}} <<
+  /Type /Page
+  /Parent 2 0 R
+  /MediaBox [0 0 612 792]
+>>
+endobj
+{{object 4 0}} <<
+  {{streamlen}}
+>>
+stream
+<xdp xmlns="http://ns.adobe.com/xdp/">
+  <config>
+    <acrobat>
+      <acrobat7>
+        <dynamicRender>required</dynamicRender>
+      </acrobat7>
+    </acrobat>
+    <present>
+      <pdf>
+        <interactive>1</interactive>
+      </pdf>
+    </present>
+  </config>
+  <template>
+    <subform>
+      <bookend leader="$"/>
+      <keep intact="none" previous="contentArea"/>
+      <field name="N01" minH="32in">
+        <ui>
+          <choiceList>
+            <margin rightInset="8in"/>
+          </choiceList>
+        </ui>
+      </field>
+      <field minH="32in">
+        <event activity="change">
+          <script>
+            $host.setFocus("N01")
+          </script>
+        </event>
+      </field>
+    </subform>
+  </template>
+</xdp>
+endstream
+endobj
+{{xref}}
+{{trailer}}
+{{startxref}}
+%%EOF