diff options
| author | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2019-02-01 15:45:29 +0100 |
|---|---|---|
| committer | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2019-02-04 10:11:46 +0000 |
| commit | 09ae6be5bb839612512e36f455bae0a694e8863b (patch) | |
| tree | 77d59e50b369c38400f4fce2e36c4128106cca61 | |
| parent | 7a5167caf765d24ca7a4cafe67c849810226b75a (diff) | |
| download | qtwebengine-chromium-09ae6be5bb839612512e36f455bae0a694e8863b.tar.gz | |
[Backport] Fix for CVE-2019-5756
M71: Clone dict before iteration in CJS_Document::get_info
Bug: chromium:895152
TBR=tsepez@chromium.org
Change-Id: I678350841892f88a5d580b58a33a639a1b6ec305
Reviewed-on: https://pdfium-review.googlesource.com/c/44050
Reviewed-by: Lei Zhang <thestig@chromium.org>
Commit-Queue: Tom Sepez <tsepez@chromium.org>
(cherry picked from commit d2e27d660a96080882e43825fb4b5d03e8a4d05a)
Reviewed-on: https://pdfium-review.googlesource.com/c/47333
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
| -rw-r--r-- | chromium/third_party/pdfium/fxjs/cjs_document.cpp | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/chromium/third_party/pdfium/fxjs/cjs_document.cpp b/chromium/third_party/pdfium/fxjs/cjs_document.cpp index 51e189ec887..5d05dae9bfa 100644 --- a/chromium/third_party/pdfium/fxjs/cjs_document.cpp +++ b/chromium/third_party/pdfium/fxjs/cjs_document.cpp @@ -677,8 +677,9 @@ CJS_Return CJS_Document::get_info(CJS_Runtime* pRuntime) { pRuntime->PutObjectProperty(pObj, L"Trapped", pRuntime->NewString(cwTrapped.AsStringView())); - // It's to be compatible to non-standard info dictionary. - for (const auto& it : *pDictionary) { + // PutObjectProperty() calls below may re-enter JS and change info dict. + auto pCopy = pDictionary->Clone(); + for (const auto& it : *ToDictionary(pCopy.get())) { const ByteString& bsKey = it.first; CPDF_Object* pValueObj = it.second.get(); WideString wsKey = WideString::FromUTF8(bsKey.AsStringView()); |