diff options
author | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2019-02-01 15:45:29 +0100 |
---|---|---|
committer | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2019-03-29 09:56:59 +0000 |
commit | 4d30deb8c6529d2f5e5830997f0ef1744ebc82f4 (patch) | |
tree | bc30de4865a8bec258985d7c5463efca87cf4940 | |
parent | db25c88fe480e87fac2ab856d1180d8358bc044f (diff) | |
download | qtwebengine-chromium-4d30deb8c6529d2f5e5830997f0ef1744ebc82f4.tar.gz |
[Backport] Fix for CVE-2019-5756
M71: Clone dict before iteration in CJS_Document::get_info
Bug: chromium:895152
TBR=tsepez@chromium.org
Change-Id: I678350841892f88a5d580b58a33a639a1b6ec305
Reviewed-on: https://pdfium-review.googlesource.com/c/44050
Reviewed-by: Lei Zhang <thestig@chromium.org>
Commit-Queue: Tom Sepez <tsepez@chromium.org>
(cherry picked from commit d2e27d660a96080882e43825fb4b5d03e8a4d05a)
Reviewed-on: https://pdfium-review.googlesource.com/c/47333
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
Reviewed-by: Michael BrĂ¼ning <michael.bruning@qt.io>
-rw-r--r-- | chromium/third_party/pdfium/fpdfsdk/javascript/Document.cpp | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/chromium/third_party/pdfium/fpdfsdk/javascript/Document.cpp b/chromium/third_party/pdfium/fpdfsdk/javascript/Document.cpp index 15b58090875..9eba660eae8 100644 --- a/chromium/third_party/pdfium/fpdfsdk/javascript/Document.cpp +++ b/chromium/third_party/pdfium/fpdfsdk/javascript/Document.cpp @@ -808,8 +808,9 @@ bool Document::info(IJS_Context* cc, pRuntime->PutObjectString(pObj, L"ModDate", cwModDate); pRuntime->PutObjectString(pObj, L"Trapped", cwTrapped); - // It's to be compatible to non-standard info dictionary. - for (const auto& it : *pDictionary) { + // PutObjectProperty() calls below may re-enter JS and change info dict. + auto pCopy = pDictionary->Clone(); + for (const auto& it : *ToDictionary(pCopy.get())) { const CFX_ByteString& bsKey = it.first; CPDF_Object* pValueObj = it.second; CFX_WideString wsKey = CFX_WideString::FromUTF8(bsKey.AsStringC()); |