Google Git
Sign in
pdfium/pdfium.git/ceb66ad5c4c3fc2767a8de899112e1ea0e6e498d^!/.
commit
ceb66ad5c4c3fc2767a8de899112e1ea0e6e498d
[log]
author
Lei Zhang <thestig@chromium.org>
Tue Jun 02 00:54:19 2020 +0000
committer
Chromium commit bot <commit-bot@chromium.org>
Tue Jun 02 00:54:19 2020 +0000
tree
3e23e79fd397cd8c1cef363356b3e7862ac1561e
parent
0e744a2a712c01ca67cdd6161da561e2c6bc5925 [diff]
Fix an UnownedPtr error in CXFA_FFTabOrderPageWidgetIterator.

CPDFXFA_Page::GetNextXFAAnnot() and GetFirstOrLastXFAAnnot() can
potentially trigger an UnownedPtr error in
CXFA_FFTabOrderPageWidgetIterator. Fix the issue by using a RetainPtr to
ensure the object in question has the right live time.

This is a secondary issue from a previous bug report. Add a test case
for that.

Bug: chromium:980161
Change-Id: I895c3b6634aa0f7a68d2b44cc0307afc64716c78
Reviewed-on: https://pdfium-review.googlesource.com/c/pdfium/+/70252
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: Lei Zhang <thestig@chromium.org>

diff --git a/testing/resources/javascript/xfa_specific/bug_980161.evt b/testing/resources/javascript/xfa_specific/bug_980161.evt
new file mode 100644
index 0000000..a5025fa
--- /dev/null
+++ b/testing/resources/javascript/xfa_specific/bug_980161.evt

@@ -0,0 +1,4 @@
+mousemove,50,50
+mousedown,left,50,50
+mouseup,left,50,50
+keycode,9

diff --git a/testing/resources/javascript/xfa_specific/bug_980161.in b/testing/resources/javascript/xfa_specific/bug_980161.in
new file mode 100644
index 0000000..058444d
--- /dev/null
+++ b/testing/resources/javascript/xfa_specific/bug_980161.in

@@ -0,0 +1,55 @@
+{{header}}
+{{include ../../xfa_catalog_1_0.fragment}}
+{{include ../../xfa_object_2_0.fragment}}
+{{include ../../xfa_preamble_3_0.fragment}}
+{{include ../../xfa_config_4_0.fragment}}
+{{object 5 0}} <<
+  {{streamlen}}
+>>
+stream
+<template xmlns="http://www.xfa.org/schema/xfa-template/2.6/">
+  <subform layout="tb" locale="en_US" name="form1" restoreState="auto">
+    <pageSet>
+      <pageArea id="Page1" name="Page1">
+        <contentArea h="10.5in" w="8in" x="0.25in" y="0.25in"/>
+        <medium long="11in" short="8.5in" stock="letter"/>
+      </pageArea>
+    </pageSet>
+    <subform h="10.5in" w="8in">
+      <field h="3mm" name="DropDownList1" w="3mm" x="0mm" y="1mm">
+        <ui>
+          <choiceList/>
+        </ui>
+        <items save="1">
+          <text>Single</text>
+          <text>Married</text>
+          <text>Other</text>
+        </items>
+      </field>
+      <field h="500.0001mm" name="DropDownList2" w="500.625mm" x="0mm" y="0mm">
+        <ui>
+          <textEdit></textEdit>
+        </ui>
+        <traversal>
+          <traverse operation="next" ref="$xfa.(eval('xfa.host.setFocus(field_DropDownList1); xfa.template.remerge(); xfa.host.openList(field_DropDownList1);') == 0)"/>
+        </traversal>
+      </field>
+    </subform>
+    <event activity="docReady">
+      <script contentType="application/x-javascript">
+        field_DropDownList1 = xfa.resolveNode("xfa.form..DropDownList1");
+        field_DropDownList2 = xfa.resolveNode("xfa.form..DropDownList2");
+        xfa.host.setFocus(field_DropDownList2);
+      </script>
+    </event>
+  </subform>
+</template>
+endstream
+endobj
+{{include ../../xfa_locale_6_0.fragment}}
+{{include ../../xfa_postamble_7_0.fragment}}
+{{include ../../xfa_pages_8_0.fragment}}
+{{xref}}
+{{trailer}}
+{{startxref}}
+%%EOF

diff --git a/xfa/fxfa/cxfa_ffpageview.cpp b/xfa/fxfa/cxfa_ffpageview.cpp
index 45a4ddc..3e3a7a4 100644
--- a/xfa/fxfa/cxfa_ffpageview.cpp
+++ b/xfa/fxfa/cxfa_ffpageview.cpp

@@ -238,7 +238,7 @@
 CXFA_FFTabOrderPageWidgetIterator::CXFA_FFTabOrderPageWidgetIterator(
     CXFA_FFPageView* pPageView,
     uint32_t dwFilter)
-    : m_pPageView(pPageView),
+    : m_pPageViewLayout(pPageView->GetLayoutItem()),
       m_dwFilter(dwFilter),
       m_bIgnoreRelevant(IsDocVersionBelow205(GetDocForPageView(pPageView))) {
   Reset();
@@ -442,7 +442,7 @@
 
 void CXFA_FFTabOrderPageWidgetIterator::CreateSpaceOrderWidgetArray(
     std::vector<CXFA_FFWidget*>* WidgetArray) {
-  CXFA_LayoutItemIterator sIterator(m_pPageView->GetLayoutItem());
+  CXFA_LayoutItemIterator sIterator(m_pPageViewLayout.Get());
   auto pParam = std::make_unique<CXFA_TabParam>(nullptr);
   bool bCurrentItem = false;
   bool bContentArea = false;

diff --git a/xfa/fxfa/cxfa_ffpageview.h b/xfa/fxfa/cxfa_ffpageview.h
index a4ecb3d..1025046 100644
--- a/xfa/fxfa/cxfa_ffpageview.h
+++ b/xfa/fxfa/cxfa_ffpageview.h

@@ -108,7 +108,7 @@
                       bool bMasterPage);
 
   std::vector<RetainPtr<CXFA_ContentLayoutItem>> m_TabOrderWidgetArray;
-  UnownedPtr<CXFA_FFPageView> const m_pPageView;
+  RetainPtr<CXFA_ViewLayoutItem> const m_pPageViewLayout;
   const uint32_t m_dwFilter;
   int32_t m_iCurWidget = -1;
   const bool m_bIgnoreRelevant;