Google Git
Sign in
pdfium / pdfium / 77417ec9e1312a75407f8ab46dd46f777a1742f1^! / .
commit77417ec9e1312a75407f8ab46dd46f777a1742f1[log] [tgz]
authorTom Sepez <tsepez@chromium.org>Wed Jul 19 16:46:22 2017 -0700
committerChromium commit bot <commit-bot@chromium.org>Thu Jul 20 17:01:59 2017 +0000
treef5d40337730001d8576116783fdada892d20becc
parentdc11ec85ebf637efe99dd9195a2a6a52c3e4d48f [diff]
Make CPWL_Wnd classes be observable.

This is another case where JS may lead to destruction of
an object far away from where we are holding it.

Bug: 737023
Change-Id: I994d5425184b8c00b5cfaeb95dbb5032a6e09edb
Reviewed-on: https://pdfium-review.googlesource.com/8350
Reviewed-by: dsinclair <dsinclair@chromium.org>
Commit-Queue: Tom Sepez <tsepez@chromium.org>

diff --git a/fpdfsdk/formfiller/cffl_combobox.cpp b/fpdfsdk/formfiller/cffl_combobox.cpp
index 6af65de..175ccb7 100644
--- a/fpdfsdk/formfiller/cffl_combobox.cpp
+++ b/fpdfsdk/formfiller/cffl_combobox.cpp

@@ -231,19 +231,12 @@
     SaveState(pPageView);
 
   DestroyPDFWindow(pPageView);
-
-  CPWL_Wnd* pRet = nullptr;
-
-  if (bRestoreValue) {
+  if (bRestoreValue)
     RestoreState(pPageView);
-    pRet = GetPDFWindow(pPageView, false);
-  } else {
-    pRet = GetPDFWindow(pPageView, true);
-  }
 
-  m_pWidget->UpdateField();
-
-  return pRet;
+  CPWL_Wnd::ObservedPtr pRet(GetPDFWindow(pPageView, !bRestoreValue));
+  m_pWidget->UpdateField();  // May invoke JS, invalidating pRet.
+  return pRet.Get();
 }
 
 #ifdef PDF_ENABLE_XFA

diff --git a/fpdfsdk/formfiller/cffl_listbox.cpp b/fpdfsdk/formfiller/cffl_listbox.cpp
index 11206e2..4a6264d 100644
--- a/fpdfsdk/formfiller/cffl_listbox.cpp
+++ b/fpdfsdk/formfiller/cffl_listbox.cpp

@@ -189,17 +189,10 @@
     SaveState(pPageView);
 
   DestroyPDFWindow(pPageView);
-
-  CPWL_Wnd* pRet = nullptr;
-
-  if (bRestoreValue) {
+  if (bRestoreValue)
     RestoreState(pPageView);
-    pRet = GetPDFWindow(pPageView, false);
-  } else {
-    pRet = GetPDFWindow(pPageView, true);
-  }
 
-  m_pWidget->UpdateField();
-
-  return pRet;
+  CPWL_Wnd::ObservedPtr pRet(GetPDFWindow(pPageView, !bRestoreValue));
+  m_pWidget->UpdateField();  // May invoke JS, invalidating pRet.
+  return pRet.Get();
 }

diff --git a/fpdfsdk/formfiller/cffl_textfield.cpp b/fpdfsdk/formfiller/cffl_textfield.cpp
index 70bc202..d598419 100644
--- a/fpdfsdk/formfiller/cffl_textfield.cpp
+++ b/fpdfsdk/formfiller/cffl_textfield.cpp

@@ -238,14 +238,12 @@
     SaveState(pPageView);
 
   DestroyPDFWindow(pPageView);
-
-  CPWL_Wnd* pRet = nullptr;
-
   if (bRestoreValue)
     RestoreState(pPageView);
-  pRet = GetPDFWindow(pPageView, !bRestoreValue);
-  m_pWidget->UpdateField();
-  return pRet;
+
+  CPWL_Wnd::ObservedPtr pRet(GetPDFWindow(pPageView, !bRestoreValue));
+  m_pWidget->UpdateField();  // May invoke JS, invalidating pRet.
+  return pRet.Get();
 }
 
 #ifdef PDF_ENABLE_XFA

diff --git a/fpdfsdk/pdfwindow/cpwl_wnd.h b/fpdfsdk/pdfwindow/cpwl_wnd.h
index dfe5dc0..56fbb21 100644
--- a/fpdfsdk/pdfwindow/cpwl_wnd.h
+++ b/fpdfsdk/pdfwindow/cpwl_wnd.h

@@ -168,7 +168,7 @@
   CFX_Matrix mtChild;                           // ignore
 };
 
-class CPWL_Wnd : public CPWL_TimerHandler {
+class CPWL_Wnd : public CPWL_TimerHandler, public CFX_Observable<CPWL_Wnd> {
  public:
   CPWL_Wnd();
   ~CPWL_Wnd() override;