diff options
author | Tom Sepez <tsepez@chromium.org> | 2022-09-22 18:09:04 +0000 |
---|---|---|
committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2022-11-07 08:55:04 +0000 |
commit | f31f41b8a1e4de74b83d010e87a615afb25f2837 (patch) | |
tree | af6bc85dacba14b52cf9c430108019d857024b76 | |
parent | 3c203785398f6a5100bafea55c3cfb86646e49bb (diff) | |
download | qtwebengine-chromium-f31f41b8a1e4de74b83d010e87a615afb25f2837.tar.gz |
[Backport] CVE-2022-3198: Use after free in PDF
Cherry-pick of patch originally reviewed on
https://pdfium-review.googlesource.com/c/pdfium/+/97170:
Avoid de-referencing end() in GetNextAvailContentHeight().
Add the same HasCurrentViewRecord() check as in other methods.
Bug: chromium:1355682
Change-Id: I466f386f037801daa82ead30239f34e025748748
Auto-Submit: Tom Sepez <tsepez@chromium.org>
Commit-Queue: Lei Zhang <thestig@chromium.org>
(cherry picked from commit 0d76a139d7ffbbdfb0ef5f5e714597a25f9767c4)
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/440021
-rw-r--r-- | chromium/third_party/pdfium/xfa/fxfa/layout/cxfa_viewlayoutprocessor.cpp | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/chromium/third_party/pdfium/xfa/fxfa/layout/cxfa_viewlayoutprocessor.cpp b/chromium/third_party/pdfium/xfa/fxfa/layout/cxfa_viewlayoutprocessor.cpp index caba9df3321..6fd05aae707 100644 --- a/chromium/third_party/pdfium/xfa/fxfa/layout/cxfa_viewlayoutprocessor.cpp +++ b/chromium/third_party/pdfium/xfa/fxfa/layout/cxfa_viewlayoutprocessor.cpp @@ -1543,6 +1543,8 @@ void CXFA_ViewLayoutProcessor::ProcessLastPageSet() { } bool CXFA_ViewLayoutProcessor::GetNextAvailContentHeight(float fChildHeight) { + if (!HasCurrentViewRecord()) + return false; CXFA_Node* pCurContentNode = GetCurrentViewRecord()->pCurContentArea->GetFormNode(); if (!pCurContentNode) |