From 92253f4cc04b8fddd238e2fc9309d8c33c8bdc05 Mon Sep 17 00:00:00 2001
From: Tom Sepez <tsepez@chromium.org>
Date: Wed, 14 Oct 2020 17:20:54 +0000
Subject: [Backport] CVE-2020-16002: Use after free in PDFium.

Manual backport of patch originally reviewed on
https://pdfium-review.googlesource.com/c/pdfium/+/75090:
Reverse order of CPWL_ListCtrl and CPWL_List_Notify cleanup

(Speculative) fix for the crash in 1137630, since it only reproduces
sporadically on my system, but hasn't re-occured since applying the
patch.

Bug: chromium:1137630
Change-Id: I4f52c7109eca00dfa8faee9bc6341cd94c25b60c
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
---
 chromium/third_party/pdfium/fpdfsdk/pwl/cpwl_list_box.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/chromium/third_party/pdfium/fpdfsdk/pwl/cpwl_list_box.h b/chromium/third_party/pdfium/fpdfsdk/pwl/cpwl_list_box.h
index 0371ba1b54b..af6b23a1d05 100644
--- a/chromium/third_party/pdfium/fpdfsdk/pwl/cpwl_list_box.h
+++ b/chromium/third_party/pdfium/fpdfsdk/pwl/cpwl_list_box.h
@@ -93,8 +93,8 @@ class CPWL_ListBox : public CPWL_Wnd {
   void AttachFFLData(CFFL_FormFiller* pData) { m_pFormFiller = pData; }
 
  protected:
+  std::unique_ptr<CPWL_List_Notify> m_pListNotify; // Must outlive |m_pList|.
   std::unique_ptr<CPWL_ListCtrl> m_pList;
-  std::unique_ptr<CPWL_List_Notify> m_pListNotify;
   bool m_bMouseDown;
   bool m_bHoverSel;
   UnownedPtr<IPWL_Filler_Notify> m_pFillerNotify;
-- 
cgit v1.2.1