Observe CPDFSDK_PageView inside ExitWidget().
ExitWidget() can trigger the deletion of caller. Use an ObserverPtr to
check for this and bail out safely.
Bug: chromium:1026991
Change-Id: If27c1b02a0d6f3bb39c999a85366e393fa150687
Reviewed-on: https://pdfium-review.googlesource.com/c/pdfium/+/66815
Commit-Queue: Lei Zhang <thestig@chromium.org>
Reviewed-by: Tom Sepez <tsepez@chromium.org>
diff --git a/fpdfsdk/cpdfsdk_pageview.cpp b/fpdfsdk/cpdfsdk_pageview.cpp
index 732bd49..b32fbea 100644
--- a/fpdfsdk/cpdfsdk_pageview.cpp
+++ b/fpdfsdk/cpdfsdk_pageview.cpp
@@ -403,12 +403,19 @@
bool callExitCallback,
uint32_t nFlag) {
m_bOnWidget = false;
- if (m_pCaptureWidget) {
- if (callExitCallback)
- pAnnotHandlerMgr->Annot_OnMouseExit(this, &m_pCaptureWidget, nFlag);
+ if (!m_pCaptureWidget)
+ return;
- m_pCaptureWidget.Reset();
+ if (callExitCallback) {
+ ObservedPtr<CPDFSDK_PageView> pThis(this);
+ pAnnotHandlerMgr->Annot_OnMouseExit(this, &m_pCaptureWidget, nFlag);
+
+ // Annot_OnMouseExit() may have invalidated |this|.
+ if (!pThis)
+ return;
}
+
+ m_pCaptureWidget.Reset();
}
bool CPDFSDK_PageView::OnMouseWheel(double deltaX,
diff --git a/testing/resources/javascript/xfa_specific/bug_1026991.evt b/testing/resources/javascript/xfa_specific/bug_1026991.evt
new file mode 100644
index 0000000..37d9022
--- /dev/null
+++ b/testing/resources/javascript/xfa_specific/bug_1026991.evt
@@ -0,0 +1,5 @@
+mousemove,0,0
+mousedown,left,0,0
+mouseup,left,0,0
+charcode,80
+mousemove,0,200
\ No newline at end of file
diff --git a/testing/resources/javascript/xfa_specific/bug_1026991.in b/testing/resources/javascript/xfa_specific/bug_1026991.in
new file mode 100644
index 0000000..4fb7657
--- /dev/null
+++ b/testing/resources/javascript/xfa_specific/bug_1026991.in
@@ -0,0 +1,65 @@
+{{header}}
+{{object 1 0}} <<
+ /Type /Catalog
+ /Pages 2 0 R
+ /AcroForm <<
+ /XFA 4 0 R
+ >>
+>>
+endobj
+{{object 2 0}} <<
+ /Type /Pages
+ /Count 1
+ /Kids [3 0 R]
+>>
+endobj
+{{object 3 0}} <<
+ /Type /Page
+ /Parent 2 0 R
+ /MediaBox [0 0 612 792]
+>>
+endobj
+{{object 4 0}} <<
+ {{streamlen}}
+>>
+stream
+<xdp xmlns="http://ns.adobe.com/xdp/">
+ <config>
+ <acrobat>
+ <acrobat7>
+ <dynamicRender>required</dynamicRender>
+ </acrobat7>
+ </acrobat>
+ <present>
+ <pdf>
+ <interactive>1</interactive>
+ </pdf>
+ </present>
+ </config>
+ <template>
+ <subform>
+ <bookend leader="$"/>
+ <keep intact="none" previous="contentArea"/>
+ <field name="N01" minH="32in">
+ <ui>
+ <choiceList>
+ <margin rightInset="8in"/>
+ </choiceList>
+ </ui>
+ </field>
+ <field minH="32in">
+ <event activity="change">
+ <script>
+ $host.setFocus("N01")
+ </script>
+ </event>
+ </field>
+ </subform>
+ </template>
+</xdp>
+endstream
+endobj
+{{xref}}
+{{trailer}}
+{{startxref}}
+%%EOF
