diff options
| author | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2018-01-25 12:25:36 +0100 |
|---|---|---|
| committer | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2018-01-25 21:38:01 +0000 |
| commit | 966fee89515d156f9e636091a2573eda42273f58 (patch) | |
| tree | 9c83f27f75d7c102679b004401ed6331615fc381 | |
| parent | c21017c7e25188300838448e92567677812285e1 (diff) | |
| download | qtwebengine-chromium-966fee89515d156f9e636091a2573eda42273f58.tar.gz | |
[Backport] [pdf] Use a temporary list when unloading pages
When traversing the |deferred_page_unloads_| list and handling the
unloads it's possible for new pages to get added to the list which will
invalidate the iterator.
This CL swaps the list with an empty list and does the iteration on the
list copy. New items that are unloaded while handling the defers will be
unloaded at a later point.
Bug: 780450
Reviewed-on: https://chromium-review.googlesource.com/758916
Reviewed-by: Lei Zhang <thestig@chromium.org>
(CVE-2018-6031)
Change-Id: I259aec91d0006c6a3fa9fb4255b506fa2d12f113
Reviewed-by: Michael BrĂ¼ning <michael.bruning@qt.io>
| -rw-r--r-- | chromium/pdf/pdfium/pdfium_engine.cc | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/chromium/pdf/pdfium/pdfium_engine.cc b/chromium/pdf/pdfium/pdfium_engine.cc index 22cff050cfa..414f1265d8a 100644 --- a/chromium/pdf/pdfium/pdfium_engine.cc +++ b/chromium/pdf/pdfium/pdfium_engine.cc @@ -1343,9 +1343,15 @@ bool PDFiumEngine::HandleEvent(const pp::InputEvent& event) { DCHECK(defer_page_unload_); defer_page_unload_ = false; - for (int page_index : deferred_page_unloads_) + + // Store the pages to unload away because the act of unloading pages can cause + // there to be more pages to unload. We leave those extra pages to be unloaded + // on the next go around. + std::vector<int> pages_to_unload; + std::swap(pages_to_unload, deferred_page_unloads_); + for (int page_index : pages_to_unload) pages_[page_index]->Unload(); - deferred_page_unloads_.clear(); + return rv; } |