Google Git
Sign in
pdfium / pdfium / 6b8572240975fd479c176b25f5ab45c92ea090eb
commit6b8572240975fd479c176b25f5ab45c92ea090eb[log] [tgz]
authorLei Zhang <thestig@chromium.org>Mon Jul 13 14:20:49 2015 -0700
committerLei Zhang <thestig@chromium.org>Mon Jul 13 14:20:49 2015 -0700
tree9b56dc72d2db4269aa18cad8641b42470cfada11
parentd14dd02bc9d5c521b88c9f1175c3a11cacf914b1 [diff]
Merge to M44: Fix heap use after free in Document::DoFieldDelay and Document::delay

This fix removes CJS_DelayData object from m_DelayData array and copies them to
a new array, before processing them. So contents of m_DelayData array cannot be
used after they get freed.

BUG=487928

R=tsepez@chromium.org

TEST= Chrome pdf plugin should not crash when poc_stable,testuafdocument1.pdf
      and testuafdocument2.pdf are viewed.
      see crbug.com/487928 and crbug.com/487928#c18 for more details.

Review URL: https://codereview.chromium.org/1163823002

(cherry picked from commit 4ff7a4246c81a71b4f878e959b3ca304cd76ec8a)

Review URL: https://codereview.chromium.org/1223163004 .
1 file changed
tree: 9b56dc72d2db4269aa18cad8641b42470cfada11
  1. build/
  2. core/
  3. fpdfsdk/
  4. public/
  5. samples/
  6. testing/
  7. third_party/
  8. .gitignore
  9. AUTHORS
  10. BUILD.gn
  11. codereview.settings
  12. DEPS
  13. LICENSE
  14. OWNERS
  15. pdfium.gyp
  16. README