commit 32e693fe13105fab5baf81b334e932fce62d89b5
author tsepez <tsepez@chromium.org> Thu Aug 04 12:47:42 2016 -0700
committer Commit bot <commit-bot@chromium.org> Thu Aug 04 12:47:42 2016 -0700
tree 97620d6affb77fc07974906f86a69e9f4f84d87d
parent 0fa54b80d488571f10d8a94f6740006f0bf4957c

Fix issue when firing TimerProc() destroys timer

We must look the timer up a second time since the callback
may have released it.

BUG=634394

Review-Url: https://codereview.chromium.org/2214003003

fpdfsdk/javascript/JS_Object.cpp

diff --git a/fpdfsdk/javascript/JS_Object.cpp b/fpdfsdk/javascript/JS_Object.cpp
index b0a307b..9ec3163 100644
--- a/fpdfsdk/javascript/JS_Object.cpp
+++ b/fpdfsdk/javascript/JS_Object.cpp
@@ -115,16 +115,25 @@
 
 // static
 void CJS_Timer::TimerProc(int idEvent) {
-  const auto it = GetGlobalTimerMap()->find(idEvent);
-  if (it != GetGlobalTimerMap()->end()) {
-    CJS_Timer* pTimer = it->second;
-    if (!pTimer->m_bProcessing) {
-      CFX_AutoRestorer<bool> scoped_processing(&pTimer->m_bProcessing);
-      pTimer->m_bProcessing = true;
-      if (pTimer->m_pEmbedObj)
-        pTimer->m_pEmbedObj->TimerProc(pTimer);
-    }
-  }
+  auto it = GetGlobalTimerMap()->find(idEvent);
+  if (it == GetGlobalTimerMap()->end())
+    return;
+
+  CJS_Timer* pTimer = it->second;
+  if (pTimer->m_bProcessing)
+    return;
+
+  pTimer->m_bProcessing = true;
+  if (pTimer->m_pEmbedObj)
+    pTimer->m_pEmbedObj->TimerProc(pTimer);
+
+  // Timer proc may have destroyed timer, find it again.
+  it = GetGlobalTimerMap()->find(idEvent);
+  if (it == GetGlobalTimerMap()->end())
+    return;
+
+  pTimer = it->second;
+  pTimer->m_bProcessing = false;
 }
 
 // static