[Backport] CVE-2023-1530: Use after free in PDF (1/2)

Manual backport of patch originally reviewed on https://pdfium-review.googlesource.com/c/pdfium/+/104397: Observe CPWL_* object destruction across CPDFSDK_Widget methods This is a simple fix to stop the symptoms while we investigate how to avoid mutations at these points in the first place. -- fix some nearby braces and annoying blank lines while at it. Bug: chromium:1419831 Change-Id: I20c38806b91c7c0c9016bb1b567a04ce319243d8 Reviewed-on: https://pdfium-review.googlesource.com/c/pdfium/+/104397 Commit-Queue: Tom Sepez <tsepez@chromium.org> Reviewed-by: Lei Zhang <thestig@chromium.org> Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/469851 Reviewed-by: Michal Klocek <michal.klocek@qt.io>
author: Tom Sepez <tsepez@chromium.org> 2023-03-07 16:04:24 +0000
committer: Michael Brüning <michael.bruning@qt.io> 2023-04-04 11:27:04 +0000
commit: fb66d7ca9641724670c96e999ad5b0fd6eb78d46 (patch)
tree: 383d63a0fc69a0b8df3e53e501112c1b8be56694 /chromium/third_party/pdfium/fpdfsdk/formfiller/cffl_listbox.cpp
parent: 7d80d640bf7263e1110442cc90299f2355c4b562 (diff)
download: qtwebengine-chromium-fb66d7ca9641724670c96e999ad5b0fd6eb78d46.tar.gz
1 files changed, 10 insertions, 6 deletions
diff --git a/chromium/third_party/pdfium/fpdfsdk/formfiller/cffl_listbox.cpp b/chromium/third_party/pdfium/fpdfsdk/formfiller/cffl_listbox.cpp
index 0cbc20a213c..c35f1485d51 100644
--- a/chromium/third_party/pdfium/fpdfsdk/formfiller/cffl_listbox.cpp
+++ b/chromium/third_party/pdfium/fpdfsdk/formfiller/cffl_listbox.cpp
@@ -110,7 +110,11 @@ void CFFL_ListBox::SaveData(CPDFSDK_PageView* pPageView) {
     return;
 
   int32_t nNewTopIndex = pListBox->GetTopVisibleIndex();
+  ObservedPtr<CPWL_ListBox> observed_box(pListBox);
   m_pWidget->ClearSelection(NotificationOption::kDoNotNotify);
+  if (!observed_box) {
+    return;
+  }
   if (m_pWidget->GetFieldFlags() & pdfium::form_flags::kChoiceMultiSelect) {
     for (int32_t i = 0, sz = pListBox->GetCount(); i < sz; i++) {
       if (pListBox->IsItemSelected(i)) {
@@ -125,17 +129,17 @@ void CFFL_ListBox::SaveData(CPDFSDK_PageView* pPageView) {
   ObservedPtr<CPDFSDK_Widget> observed_widget(m_pWidget.Get());
   ObservedPtr<CFFL_ListBox> observed_this(this);
   m_pWidget->SetTopVisibleIndex(nNewTopIndex);
-  if (!observed_widget)
+  if (!observed_widget) {
     return;
-
+  }
   m_pWidget->ResetFieldAppearance();
-  if (!observed_widget)
+  if (!observed_widget) {
     return;
-
+  }
   m_pWidget->UpdateField();
-  if (!observed_widget || !observed_this)
+  if (!observed_widget || !observed_this) {
     return;
-
+  }
   SetChangeMark();
 }
author	Tom Sepez <tsepez@chromium.org>	2023-03-07 16:04:24 +0000
committer	Michael Brüning <michael.bruning@qt.io>	2023-04-04 11:27:04 +0000
commit	fb66d7ca9641724670c96e999ad5b0fd6eb78d46 (patch)
tree	383d63a0fc69a0b8df3e53e501112c1b8be56694 /chromium/third_party/pdfium/fpdfsdk/formfiller/cffl_listbox.cpp
parent	7d80d640bf7263e1110442cc90299f2355c4b562 (diff)
download	qtwebengine-chromium-fb66d7ca9641724670c96e999ad5b0fd6eb78d46.tar.gz