Fix UAF in SaveData on all of CFFL_* types. Bug: 756427 Change-Id: I8e31d96c6f3b83a6464ed69c95225362c50386d1 Reviewed-on: https://pdfium-review.googlesource.com/15870 Commit-Queue: Tom Sepez <tsepez@chromium.org> Reviewed-by: Tom Sepez <tsepez@chromium.org>

commit: 1886471c3432dee4d9a9be5678a757dde8717652 [log] [tgz]
author: Luật Nguyễn <manhluat93.php@gmail.com> Tue Oct 10 12:39:22 2017 +0800
committer: Chromium commit bot <commit-bot@chromium.org> Tue Oct 10 20:12:46 2017 +0000
tree: 437dd29735be2351e475819798e40edddf41b50b
parent: dd002931a16a99b0c6e6ae7b6cba9d4dafb27e18 [diff]
diff --git a/AUTHORS b/AUTHORS
index 0c84bf9..ffd889e 100644
--- a/AUTHORS
+++ b/AUTHORS

@@ -27,13 +27,14 @@
 Kostya Serebryany <kcc@chromium.org>
 Lei Zhang <thestig@chromium.org>
 Lucas Nihlen <luken@chromium.org>
+Luật Nguyễn <manhluat93.php@gmail.com>
 Matt Giuca <mgiuca@chromium.org>
 Michael Doppler <m.doppler@gmail.com>
 Miklos Vajna <vmiklos@vmiklos.hu>
 Nico Weber <thakis@chromium.org>
 Peter Kasting <pkasting@chromium.org>
 Raymes Khoury <raymes@chromium.org>
-Reid Kleckner <rnk@chromium.org>

+Reid Kleckner <rnk@chromium.org>
 Ryan Wiley <wileyrr@gmail.com>
 Robert Sesek <rsesek@chromium.org>
 Sam Clegg <sbc@chromium.org>

diff --git a/fpdfsdk/formfiller/cffl_checkbox.cpp b/fpdfsdk/formfiller/cffl_checkbox.cpp
index 2863a56..e9c72ef 100644
--- a/fpdfsdk/formfiller/cffl_checkbox.cpp
+++ b/fpdfsdk/formfiller/cffl_checkbox.cpp

@@ -111,9 +111,15 @@
       }
     }
   }
+  CPDFSDK_Widget::ObservedPtr observed_widget(m_pWidget.Get());
+  CFFL_CheckBox::ObservedPtr observed_this(this);
 
   m_pWidget->SetCheck(bNewChecked, false);
+  if (!observed_widget)
+    return;
   m_pWidget->UpdateField();
+  if (!observed_widget || !observed_this)
+    return;
   SetChangeMark();
 }
 

diff --git a/fpdfsdk/formfiller/cffl_combobox.cpp b/fpdfsdk/formfiller/cffl_combobox.cpp
index ab34a65..d9b12f5 100644
--- a/fpdfsdk/formfiller/cffl_combobox.cpp
+++ b/fpdfsdk/formfiller/cffl_combobox.cpp

@@ -108,11 +108,16 @@
     m_pWidget->GetSelectedIndex(0);
     m_pWidget->SetOptionSelection(nCurSel, true, false);
   }
+  CPDFSDK_Widget::ObservedPtr observed_widget(m_pWidget.Get());
+  CFFL_ComboBox::ObservedPtr observed_this(this);
 
   m_pWidget->ResetFieldAppearance(true);
+  if (!observed_widget)
+    return;
   m_pWidget->UpdateField();
+  if (!observed_widget || !observed_this)
+    return;
   SetChangeMark();
-
   m_pWidget->GetPDFPage();
 }
 

diff --git a/fpdfsdk/formfiller/cffl_formfiller.cpp b/fpdfsdk/formfiller/cffl_formfiller.cpp
index 1ed7ffa..8f48c02 100644
--- a/fpdfsdk/formfiller/cffl_formfiller.cpp
+++ b/fpdfsdk/formfiller/cffl_formfiller.cpp

@@ -491,7 +491,10 @@
   if (!pObserved)
     return false;
 
-  SaveData(pPageView);
+  SaveData(pPageView); // may invoking JS to delete this widget.
+  if (!pObserved)
+    return false;
+
   pFormFiller->OnCalculate(&pObserved, pPageView, nFlag);
   if (!pObserved)
     return false;

diff --git a/fpdfsdk/formfiller/cffl_listbox.cpp b/fpdfsdk/formfiller/cffl_listbox.cpp
index 9dad11d..e628e59 100644
--- a/fpdfsdk/formfiller/cffl_listbox.cpp
+++ b/fpdfsdk/formfiller/cffl_listbox.cpp

@@ -117,9 +117,18 @@
   } else {
     m_pWidget->SetOptionSelection(pListBox->GetCurSel(), true, false);
   }
+  CPDFSDK_Widget::ObservedPtr observed_widget(m_pWidget.Get());
+  CFFL_ListBox::ObservedPtr observed_this(this);
+
   m_pWidget->SetTopVisibleIndex(nNewTopIndex);
+  if (!observed_widget)
+    return;
   m_pWidget->ResetFieldAppearance(true);
+  if (!observed_widget)
+    return;
   m_pWidget->UpdateField();
+  if (!observed_widget || !observed_this)
+    return;
   SetChangeMark();
 }
 

diff --git a/fpdfsdk/formfiller/cffl_radiobutton.cpp b/fpdfsdk/formfiller/cffl_radiobutton.cpp
index f8ada67..73ac44d 100644
--- a/fpdfsdk/formfiller/cffl_radiobutton.cpp
+++ b/fpdfsdk/formfiller/cffl_radiobutton.cpp

@@ -102,9 +102,15 @@
       }
     }
   }
+  CPDFSDK_Widget::ObservedPtr observed_widget(m_pWidget.Get());
+  CFFL_RadioButton::ObservedPtr observed_this(this);
 
   m_pWidget->SetCheck(bNewChecked, false);
+  if (!observed_widget)
+    return;
   m_pWidget->UpdateField();
+  if (!observed_widget || !observed_this)
+    return;
   SetChangeMark();
 }
 

diff --git a/fpdfsdk/formfiller/cffl_textfield.cpp b/fpdfsdk/formfiller/cffl_textfield.cpp
index 4174ae4..ad8d27c 100644
--- a/fpdfsdk/formfiller/cffl_textfield.cpp
+++ b/fpdfsdk/formfiller/cffl_textfield.cpp

@@ -141,13 +141,17 @@
 
   CPDFSDK_Widget::ObservedPtr observed_widget(m_pWidget.Get());
   CFFL_TextField::ObservedPtr observed_this(this);
+
   m_pWidget->SetValue(sNewValue, false);
-  if (observed_widget)
-    m_pWidget->ResetFieldAppearance(true);
-  if (observed_widget)
-    m_pWidget->UpdateField();
-  if (observed_this)
-    SetChangeMark();
+  if (!observed_widget)
+    return;
+  m_pWidget->ResetFieldAppearance(true);
+  if (!observed_widget)
+    return;
+  m_pWidget->UpdateField();
+  if (!observed_widget || !observed_this)
+    return;
+  SetChangeMark();
 }
 
 void CFFL_TextField::GetActionData(CPDFSDK_PageView* pPageView,
commit	1886471c3432dee4d9a9be5678a757dde8717652	[log] [tgz]
author	Luật Nguyễn <manhluat93.php@gmail.com>	Tue Oct 10 12:39:22 2017 +0800
committer	Chromium commit bot <commit-bot@chromium.org>	Tue Oct 10 20:12:46 2017 +0000
tree	437dd29735be2351e475819798e40edddf41b50b
parent	dd002931a16a99b0c6e6ae7b6cba9d4dafb27e18 [diff]