commit 20e25f2d6cbe4e9955a6e7c445749d5492548d76
author Lei Zhang <thestig@chromium.org> Wed Jan 06 22:54:48 2016 -0800
committer Lei Zhang <thestig@chromium.org> Wed Jan 06 22:54:48 2016 -0800
tree f8050017d4fd24cdb6b33d37067386a55465577d
parent ab5537db5f9f52f19dea03850512fd6b10bdcd84

XFA: Change the destruction order inside CPDFXFA_Document to avoid UAFs.

R=jun_fang@foxitsoftware.com, tsepez@chromium.org

Review URL: https://codereview.chromium.org/1566903002 .

fpdfsdk/include/fpdfxfa/fpdfxfa_doc.h

diff --git a/fpdfsdk/include/fpdfxfa/fpdfxfa_doc.h b/fpdfsdk/include/fpdfxfa/fpdfxfa_doc.h
index 451b561..c612143 100644
--- a/fpdfsdk/include/fpdfxfa/fpdfxfa_doc.h
+++ b/fpdfsdk/include/fpdfxfa/fpdfxfa_doc.h
@@ -37,7 +37,6 @@
   int GetDocType() { return m_iDocType; }

 

   CPDFSDK_Document* GetSDKDocument(CPDFDoc_Environment* pFormFillEnv);

-  void ReleaseSDKDoc();

 

   void FXRect2PDFRect(const CFX_RectF& fxRectF, CPDF_Rect& pdfRect);

 

fpdfsdk/src/fpdfxfa/fpdfxfa_doc.cpp

diff --git a/fpdfsdk/src/fpdfxfa/fpdfxfa_doc.cpp b/fpdfsdk/src/fpdfxfa/fpdfxfa_doc.cpp
index 16f3209..fb30ba4 100644
--- a/fpdfsdk/src/fpdfxfa/fpdfxfa_doc.cpp
+++ b/fpdfsdk/src/fpdfxfa/fpdfxfa_doc.cpp
@@ -45,14 +45,17 @@
 }

 

 CPDFXFA_Document::~CPDFXFA_Document() {

+  if (m_pJSContext && m_pSDKDoc && m_pSDKDoc->GetEnv())

+    m_pSDKDoc->GetEnv()->GetJSRuntime()->ReleaseContext(m_pJSContext);

+

+  delete m_pSDKDoc;

+

   if (m_pPDFDoc) {

-    CPDF_Parser* pParser = (CPDF_Parser*)m_pPDFDoc->GetParser();

-    if (pParser == NULL) {

-      delete m_pPDFDoc;

-    } else {

+    CPDF_Parser* pParser = m_pPDFDoc->GetParser();

+    if (pParser)

       delete pParser;

-    }

-    m_pPDFDoc = NULL;

+    else

+      delete m_pPDFDoc;

   }

   if (m_pXFADoc) {

     IXFA_App* pApp = m_pApp->GetXFAApp();

@@ -63,17 +66,6 @@
       }

     }

   }

-

-  if (m_pJSContext) {

-    if (m_pSDKDoc && m_pSDKDoc->GetEnv()) {

-      m_pSDKDoc->GetEnv()->GetJSRuntime()->ReleaseContext(m_pJSContext);

-      m_pJSContext = NULL;

-    }

-  }

-

-  if (m_pSDKDoc)

-    delete m_pSDKDoc;

-  m_pSDKDoc = NULL;

 }

 

 FX_BOOL CPDFXFA_Document::LoadXFADoc() {

@@ -204,13 +196,6 @@
   return m_pSDKDoc;

 }

 

-void CPDFXFA_Document::ReleaseSDKDoc() {

-  if (m_pSDKDoc)

-    delete m_pSDKDoc;

-

-  m_pSDKDoc = NULL;

-}

-

 void CPDFXFA_Document::FXRect2PDFRect(const CFX_RectF& fxRectF,

                                       CPDF_Rect& pdfRect) {

   pdfRect.left = fxRectF.left;

@@ -219,7 +204,6 @@
   pdfRect.bottom = fxRectF.top;

 }

 

-//////////////////////////////////////////////////////////////////////////

 void CPDFXFA_Document::SetChangeMark(IXFA_Doc* hDoc) {

   if (hDoc == m_pXFADoc && m_pSDKDoc) {

     m_pSDKDoc->SetChangeMark();