Avoid dangling ptr in ~CPWL_MsgControl().
During cleanup, remove some window pointers so they do not dangle,
even for a brief period before the MsgControl gets cleaned up.
Bug: chromium:1447268
Change-Id: I6579ed3acf288e2d955777f199644a4b501fdc0e
Reviewed-on: https://pdfium-review.googlesource.com/c/pdfium/+/107950
Commit-Queue: Tom Sepez <tsepez@chromium.org>
Reviewed-by: Lei Zhang <thestig@chromium.org>
diff --git a/fpdfsdk/pwl/cpwl_wnd.cpp b/fpdfsdk/pwl/cpwl_wnd.cpp
index 6a5829c..04f2453 100644
--- a/fpdfsdk/pwl/cpwl_wnd.cpp
+++ b/fpdfsdk/pwl/cpwl_wnd.cpp
@@ -89,8 +89,25 @@
m_KeyboardPaths.clear();
}
- void SetCapture(CPWL_Wnd* pWnd) { m_MousePaths = pWnd->GetAncestors(); }
+ void RemoveWnd(CPWL_Wnd* pWnd) {
+ if (pWnd == m_pCreatedWnd) {
+ m_pCreatedWnd = nullptr;
+ }
+ if (pWnd == m_pMainKeyboardWnd) {
+ m_pMainKeyboardWnd = nullptr;
+ }
+ auto mouse_it = std::find(m_MousePaths.begin(), m_MousePaths.end(), pWnd);
+ if (mouse_it != m_MousePaths.end()) {
+ m_MousePaths.erase(mouse_it);
+ }
+ auto keyboard_it =
+ std::find(m_KeyboardPaths.begin(), m_KeyboardPaths.end(), pWnd);
+ if (keyboard_it != m_KeyboardPaths.end()) {
+ m_KeyboardPaths.erase(keyboard_it);
+ }
+ }
+ void SetCapture(CPWL_Wnd* pWnd) { m_MousePaths = pWnd->GetAncestors(); }
void ReleaseCapture() { m_MousePaths.clear(); }
private:
@@ -630,8 +647,14 @@
void CPWL_Wnd::DestroyMsgControl() {
CPWL_MsgControl* pMsgControl = GetMsgControl();
- if (pMsgControl && pMsgControl->IsWndCreated(this))
+ if (!pMsgControl) {
+ return;
+ }
+ const bool owned = pMsgControl->IsWndCreated(this);
+ pMsgControl->RemoveWnd(this);
+ if (owned) {
delete pMsgControl;
+ }
}
CPWL_MsgControl* CPWL_Wnd::GetMsgControl() const {
diff --git a/testing/resources/javascript/bug_1447268.evt b/testing/resources/javascript/bug_1447268.evt
new file mode 100644
index 0000000..be4c96c
--- /dev/null
+++ b/testing/resources/javascript/bug_1447268.evt
@@ -0,0 +1,2 @@
+mouseup,left,107,521
+mousedown,left,108,521
diff --git a/testing/resources/javascript/bug_1447268.in b/testing/resources/javascript/bug_1447268.in
new file mode 100644
index 0000000..b12a389
--- /dev/null
+++ b/testing/resources/javascript/bug_1447268.in
@@ -0,0 +1,209 @@
+{{header}}
+{{object 1 0}} <<
+ /Type /Catalog
+ /Pages 2 0 R
+ /AcroForm 4 0 R
+ /OpenAction 40 0 R
+>>
+endobj
+{{object 2 0}} <<
+ /Type /Pages
+ /Count 5
+ /Kids [
+ 30 0 R
+ 31 0 R
+ 32 0 R
+ 33 0 R
+ 34 0 R
+ ]
+>>
+endobj
+% Forms
+{{object 4 0}} <<
+ /Fields [
+ 5 0 R
+ 8 0 R
+ 9 0 R
+ 10 0 R
+ 11 0 R
+ ]
+>>
+endobj
+% Fields
+{{object 5 0}} <<
+ /T (Field)
+ /Kids [6 0 R]
+ /V (my_field)
+>>
+endobj
+{{object 6 0}} <<
+ /FT /Tx
+ /Parent 5 0 R
+ /Kids [7 0 R]
+ /Rect [200 200 220 220]
+>>
+endobj
+{{object 7 0}} <<
+ /Type /Annot
+ /Subtype /Widget
+ /Parent 6 0 R
+ /Rect [0 500 600 600]
+
+>>
+endobj
+{{object 8 0}} <<
+ /Type /Annot
+ /Subtype /Widget
+ /FT /Tx
+ /T (Field2)
+ /V (Field_2)
+ /Rect [0 500 600 600]
+>>
+endobj
+{{object 9 0}} <<
+ /Type /Annot
+ /Subtype /Widget
+ /FT /Tx
+ /T (Field4)
+ /V (Field_4)
+ /Rect [0 500 600 600]
+ /AA << /F 24 0 R >>
+>>
+endobj
+{{object 10 0}} <<
+ /Type /Annot
+ /Subtype /Widget
+ /FT /Tx
+ /T (Field5)
+ /V (Field_5)
+ /Rect [0 500 600 600]
+>>
+endobj
+{{object 11 0}} <<
+ /T (Field3)
+ /Parent 4 0 R
+ /Kids [12 0 R]
+ /Opt [(aa) (bb) (cc) (dd) (ee)]
+ /V [(aa) (bb) (cc) (dd) (ee)]
+>>
+endobj
+{{object 12 0}} <<
+ /Type /Annot
+ /Subtype /Widget
+ /FT /Ch
+ /Ff 131072
+ /Parent 11 0 R
+ /Kids [13 0 R]
+>>
+endobj
+{{object 13 0}} <<
+ /Type /Annot
+ /Subtype /Widget
+ /Parent 12 0 R
+ /Rect [0 400 600 600]
+>>
+endobj
+{{object 14 0}} <<
+ /Type /Annot
+ /Subtype /Widget
+ /Parent 12 0 R
+ /Rect [100 400 500 500]
+>>
+endobj
+% OpenAction action
+{{object 22 0}} <<
+ /S /JavaScript
+ /JS 23 0 R
+>>
+endobj
+{{object 23 0}} <<
+ {{streamlen}}
+>>
+stream
+doc = this;
+function cb_func() {
+ doc.pageNum = 1;
+ doc.getField("Field" ).setFocus();
+ doc.getField("Field1").setFocus();
+ doc.getField("Field2").setFocus();
+ doc.getField("Field3").setFocus();
+ doc.getField("Field4").setFocus();
+ doc.getField("Field5").setFocus();
+ return 0;
+}
+doc.getField("Field").checkThisBox ({valueOf: cb_func});
+doc.getField("Field1").checkThisBox({valueOf: cb_func});
+doc.getField("Field2").checkThisBox({valueOf: cb_func});
+doc.getField("Field3").checkThisBox({valueOf: cb_func});
+doc.getField("Field4").checkThisBox({valueOf: cb_func});
+doc.getField("Field5").checkThisBox({valueOf: cb_func});
+endstream
+endobj
+% OpenAction action
+{{object 24 0}} <<
+ /S /JavaScript
+ /JS 25 0 R
+>>
+endobj
+{{object 25 0}} <<
+ {{streamlen}}
+>>
+stream
+this.pageNum = 2;
+this.pageNum = 3;
+endstream
+endobj
+% Pages
+{{object 30 0}} <<
+ /Type /Page
+ /Parent 2 0 R
+ /MediaBox [0 0 612 792]
+>>
+endobj
+{{object 31 0}} <<
+ /Type /Page
+ /Parent 2 0 R
+ /MediaBox [0 0 612 792]
+ /Annots [9 0 R]
+>>
+endobj
+{{object 32 0}} <<
+ /Type /Page
+ /Parent 2 0 R
+ /MediaBox [0 0 612 792]
+ /Annots [13 0 R]
+>>
+endobj
+{{object 33 0}} <<
+ /Type /Page
+ /Parent 2 0 R
+ /MediaBox [0 0 612 792]
+ /AA <</C 22 0 R>>
+>>
+endobj
+{{object 34 0}} <<
+ /Type /Page
+ /Parent 2 0 R
+ /MediaBox [0 0 612 792]
+ /Annots [10 0 R]
+>>
+endobj
+% Document JS Action
+{{object 40 0}} <<
+ /Type /Action
+ /S /JavaScript
+ /JS 41 0 R
+>>
+endobj
+{{object 41 0}} <<
+ {{streamlen}}
+>>
+stream
+var f = this.getField("Field4");
+f.setFocus();
+endstream
+endobj
+{{xref}}
+{{trailer}}
+{{startxref}}
+%%EOF
diff --git a/testing/resources/javascript/bug_1447268_expected.txt b/testing/resources/javascript/bug_1447268_expected.txt
new file mode 100644
index 0000000..5d198fe
--- /dev/null
+++ b/testing/resources/javascript/bug_1447268_expected.txt
@@ -0,0 +1,3 @@
+Goto Page: 2
+Goto Page: 3
+Goto Page: 1
