Observe CXFA_FFWidget across a function SetFocusWidget().
CXFA_FFWidget object is destroyed by JS code of field's exit event
triggered by calling SetFocusWidget().
Use ObservedPtr to catch this destruction.
Bug: chromium:993553
Change-Id: I694d63bb62cd01e4a9a038afdcd009425b0284b5
Reviewed-on: https://pdfium-review.googlesource.com/c/pdfium/+/59410
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: Tom Sepez <tsepez@chromium.org>
diff --git a/fxjs/xfa/cjx_hostpseudomodel.cpp b/fxjs/xfa/cjx_hostpseudomodel.cpp
index 2437a30..0cfffa6 100644
--- a/fxjs/xfa/cjx_hostpseudomodel.cpp
+++ b/fxjs/xfa/cjx_hostpseudomodel.cpp
@@ -310,8 +310,13 @@
if (!hWidget)
return CJS_Result::Success();
+ // SetFocusWidget() may destroy |hWidget| object by JS callback.
+ ObservedPtr<CXFA_FFWidget> pObservedWidget(hWidget);
CXFA_FFDoc* hDoc = pNotify->GetHDOC();
hDoc->GetDocEnvironment()->SetFocusWidget(hDoc, hWidget);
+ if (!pObservedWidget)
+ return CJS_Result::Success();
+
pNotify->OpenDropDownList(hWidget);
return CJS_Result::Success();
}