Fix UAF after destroying a widget during OnBeforeKeyStroke().
Bug: chromium:766957
Change-Id: I61b282059fb4fc2c8ba6dafc502f030f31dd324d
Reviewed-on: https://pdfium-review.googlesource.com/14710
Commit-Queue: Henrique Nakashima <hnakashima@chromium.org>
Reviewed-by: Tom Sepez <tsepez@chromium.org>
diff --git a/fpdfsdk/pwl/cpwl_edit.cpp b/fpdfsdk/pwl/cpwl_edit.cpp
index 0b74a18..662c69e 100644
--- a/fpdfsdk/pwl/cpwl_edit.cpp
+++ b/fpdfsdk/pwl/cpwl_edit.cpp
@@ -481,11 +481,17 @@
if (nSelStart == nSelEnd)
nSelEnd = nSelStart + 1;
+ CPWL_Wnd::ObservedPtr thisObserved(this);
+
bool bRC;
bool bExit;
std::tie(bRC, bExit) = m_pFillerNotify->OnBeforeKeyStroke(
GetAttachedData(), strChange, strChangeEx, nSelStart, nSelEnd, true,
nFlag);
+
+ if (!thisObserved)
+ return false;
+
if (!bRC)
return false;
if (bExit)
@@ -558,10 +564,15 @@
break;
}
+ CPWL_Wnd::ObservedPtr thisObserved(this);
+
WideString strChangeEx;
std::tie(bRC, bExit) = m_pFillerNotify->OnBeforeKeyStroke(
GetAttachedData(), swChange, strChangeEx, nSelStart, nSelEnd, true,
nFlag);
+
+ if (!thisObserved)
+ return false;
}
}
diff --git a/fpdfsdk/pwl/cpwl_list_box.cpp b/fpdfsdk/pwl/cpwl_list_box.cpp
index b5c6293..c8f7be9 100644
--- a/fpdfsdk/pwl/cpwl_list_box.cpp
+++ b/fpdfsdk/pwl/cpwl_list_box.cpp
@@ -260,6 +260,8 @@
if (!m_pFillerNotify)
return false;
+ CPWL_Wnd::ObservedPtr thisObserved(this);
+
WideString swChange = GetText();
WideString strChangeEx;
int nSelStart = 0;
@@ -269,6 +271,10 @@
std::tie(bRC, bExit) = m_pFillerNotify->OnBeforeKeyStroke(
GetAttachedData(), swChange, strChangeEx, nSelStart, nSelEnd, bKeyDown,
nFlag);
+
+ if (!thisObserved)
+ return false;
+
return bExit;
}
