[Backport] Setting focus on a widget may destroy the widget

When a widget has focus set, this can trigger an Invalidation call which can trigger a page and annotation reload. This reload can destroy the current widget we're handling. This CL adds ObservedPtrs as needed so we can make sure the widgets are still alive after we've done the Invalidation. Bug: chromium:765921 Reviewed-on: https://pdfium-review.googlesource.com/14290 (CVE-2017-15410) Change-Id: Ic7420bf80e42db4d2f76b3ae0408b0692b2bd64c Reviewed-by: Michael Brüning <michael.bruning@qt.io>
author: Allan Sandfeld Jensen <allan.jensen@qt.io> 2017-12-20 11:19:23 +0100
committer: Allan Sandfeld Jensen <allan.jensen@qt.io> 2018-01-04 13:03:26 +0000
commit: 7869641c98f998ce83bcb520e3046dafdd00fc80 (patch)
tree: 39f13c19dafd0702290283ba95d7fa5af0a32615
parent: 79ef6c0691d4bd46e2a70499d93d5702947d4c9d (diff)
download: qtwebengine-chromium-7869641c98f998ce83bcb520e3046dafdd00fc80.tar.gz
3 files changed, 36 insertions, 11 deletions
diff --git a/chromium/third_party/pdfium/fpdfsdk/pdfwindow/cpwl_caret.cpp b/chromium/third_party/pdfium/fpdfsdk/pdfwindow/cpwl_caret.cpp
index a9a5b860997..0870f71d9f6 100644
--- a/chromium/third_party/pdfium/fpdfsdk/pdfwindow/cpwl_caret.cpp
+++ b/chromium/third_party/pdfium/fpdfsdk/pdfwindow/cpwl_caret.cpp
@@ -59,6 +59,8 @@ void CPWL_Caret::TimerProc() {
   } else {
     m_bFlash = !m_bFlash;
     InvalidateRect();
+    // Note, |this| may no longer be viable at this point. If more work needs
+    // to be done, add an observer.
   }
 }
 
@@ -77,15 +79,24 @@ void CPWL_Caret::SetCaret(bool bVisible,
         m_ptFoot = ptFoot;
         m_bFlash = true;
         Move(m_rcInvalid, false, true);
+        // Note, |this| may no longer be viable at this point. If more work
+        // needs to be done, add an observer.
       }
     } else {
       m_ptHead = ptHead;
       m_ptFoot = ptFoot;
       EndTimer();
       BeginTimer(PWL_CARET_FLASHINTERVAL);
+
+      ObservedPtr observer(this);
       CPWL_Wnd::SetVisible(true);
+      if (!observer)
+        return;
+
       m_bFlash = true;
       Move(m_rcInvalid, false, true);
+      // Note, |this| may no longer be viable at this point. If more work needs
+      // to be done, add an observer.
     }
   } else {
     m_ptHead = CFX_PointF();
@@ -94,6 +105,8 @@ void CPWL_Caret::SetCaret(bool bVisible,
     if (IsVisible()) {
       EndTimer();
       CPWL_Wnd::SetVisible(false);
+      // Note, |this| may no longer be viable at this point. If more work needs
+      // to be done, add an observer.
     }
   }
 }
@@ -111,4 +124,6 @@ void CPWL_Caret::InvalidateRect(CFX_FloatRect* pRect) {
   } else {
     CPWL_Wnd::InvalidateRect(pRect);
   }
+  // Note, |this| may no longer be viable at this point. If more work needs
+  // to be done, add an observer.
 }
diff --git a/chromium/third_party/pdfium/fpdfsdk/pdfwindow/cpwl_edit.cpp b/chromium/third_party/pdfium/fpdfsdk/pdfwindow/cpwl_edit.cpp
index a3761c04eab..5dd72365804 100644
--- a/chromium/third_party/pdfium/fpdfsdk/pdfwindow/cpwl_edit.cpp
+++ b/chromium/third_party/pdfium/fpdfsdk/pdfwindow/cpwl_edit.cpp
@@ -331,16 +331,24 @@ bool CPWL_Edit::OnRButtonUp(const CFX_PointF& point, uint32_t nFlag) {
 }
 
 void CPWL_Edit::OnSetFocus() {
+  ObservedPtr observed_ptr(this);
   SetEditCaret(true);
+  if (!observed_ptr)
+    return;
+
   if (!IsReadOnly()) {
-    if (IPWL_FocusHandler* pFocusHandler = GetFocusHandler())
+    if (IPWL_FocusHandler* pFocusHandler = GetFocusHandler()) {
       pFocusHandler->OnSetFocus(this);
+      if (!observed_ptr)
+        return;
+    }
   }
   m_bFocus = true;
 }
 
 void CPWL_Edit::OnKillFocus() {
-  ObservedPtr observed_ptr = ObservedPtr(this);
+  ObservedPtr observed_ptr(this);
+
   CPWL_ScrollBar* pScroll = GetVScrollBar();
   if (pScroll && pScroll->IsVisible()) {
     pScroll->SetVisible(false);
diff --git a/chromium/third_party/pdfium/fpdfsdk/pdfwindow/cpwl_wnd.cpp b/chromium/third_party/pdfium/fpdfsdk/pdfwindow/cpwl_wnd.cpp
index 09a2682aedd..223182c2967 100644
--- a/chromium/third_party/pdfium/fpdfsdk/pdfwindow/cpwl_wnd.cpp
+++ b/chromium/third_party/pdfium/fpdfsdk/pdfwindow/cpwl_wnd.cpp
@@ -85,19 +85,21 @@ class CPWL_MsgControl : public CFX_Observable<CPWL_MsgControl> {
 
   void SetFocus(CPWL_Wnd* pWnd) {
     m_aKeyboardPath.clear();
-    if (pWnd) {
-      m_pMainKeyboardWnd = pWnd;
-      CPWL_Wnd* pParent = pWnd;
-      while (pParent) {
-        m_aKeyboardPath.push_back(pParent);
-        pParent = pParent->GetParentWindow();
-      }
-      pWnd->OnSetFocus();
+    if (!pWnd)
+      return;
+
+    m_pMainKeyboardWnd = pWnd;
+    CPWL_Wnd* pParent = pWnd;
+    while (pParent) {
+      m_aKeyboardPath.push_back(pParent);
+      pParent = pParent->GetParentWindow();
     }
+    // Note, pWnd may get destroyed in the OnSetFocus call.
+    pWnd->OnSetFocus();
   }
 
   void KillFocus() {
-    ObservedPtr observed_ptr = ObservedPtr(this);
+    ObservedPtr observed_ptr(this);
     if (!m_aKeyboardPath.empty())
       if (CPWL_Wnd* pWnd = m_aKeyboardPath[0])
         pWnd->OnKillFocus();
author	Allan Sandfeld Jensen <allan.jensen@qt.io>	2017-12-20 11:19:23 +0100
committer	Allan Sandfeld Jensen <allan.jensen@qt.io>	2018-01-04 13:03:26 +0000
commit	7869641c98f998ce83bcb520e3046dafdd00fc80 (patch)
tree	39f13c19dafd0702290283ba95d7fa5af0a32615
parent	79ef6c0691d4bd46e2a70499d93d5702947d4c9d (diff)
download	qtwebengine-chromium-7869641c98f998ce83bcb520e3046dafdd00fc80.tar.gz