[Backport] Fix for CVE-2019-5756

M71: Clone dict before iteration in CJS_Document::get_info

Bug: chromium:895152
TBR=tsepez@chromium.org
Change-Id: I678350841892f88a5d580b58a33a639a1b6ec305
Reviewed-on: https://pdfium-review.googlesource.com/c/44050
Reviewed-by: Lei Zhang <thestig@chromium.org>
Commit-Queue: Tom Sepez <tsepez@chromium.org>
(cherry picked from commit d2e27d660a96080882e43825fb4b5d03e8a4d05a)
Reviewed-on: https://pdfium-review.googlesource.com/c/47333
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
Reviewed-by: Michael Brüning <michael.bruning@qt.io>

1 files changed, 3 insertions, 2 deletions

diff --git a/chromium/third_party/pdfium/fpdfsdk/javascript/Document.cpp b/chromium/third_party/pdfium/fpdfsdk/javascript/Document.cpp
index 15b58090875..9eba660eae8 100644
--- a/chromium/third_party/pdfium/fpdfsdk/javascript/Document.cpp
+++ b/chromium/third_party/pdfium/fpdfsdk/javascript/Document.cpp
@@ -808,8 +808,9 @@ bool Document::info(IJS_Context* cc,
   pRuntime->PutObjectString(pObj, L"ModDate", cwModDate);
   pRuntime->PutObjectString(pObj, L"Trapped", cwTrapped);
 
-  // It's to be compatible to non-standard info dictionary.
-  for (const auto& it : *pDictionary) {
+  // PutObjectProperty() calls below may re-enter JS and change info dict.
+  auto pCopy = pDictionary->Clone();
+  for (const auto& it : *ToDictionary(pCopy.get())) {
     const CFX_ByteString& bsKey = it.first;
     CPDF_Object* pValueObj = it.second;
     CFX_WideString wsKey = CFX_WideString::FromUTF8(bsKey.AsStringC());