Fix heap use after free in Document::DoFieldDelay and Document::delay
authorTom Sepez <tsepez@chromium.org>
Tue, 2 Jun 2015 17:09:49 +0000 (10:09 -0700)
committerTom Sepez <tsepez@chromium.org>
Tue, 2 Jun 2015 17:09:49 +0000 (10:09 -0700)
commit4ff7a4246c81a71b4f878e959b3ca304cd76ec8a
tree2a8002655a6300e69408d08196bb86a6f1b0145f
parent8e1b60824d079546c8cc3f0e3d9fa0ea9fa980fa
Fix heap use after free in Document::DoFieldDelay and Document::delay

This fix removes CJS_DelayData object from m_DelayData array and copies them to
a new array, before processing them. So contents of m_DelayData array cannot be
used after they get freed.

BUG=487928

R=tsepez@chromium.org

TEST= Chrome pdf plugin should not crash when poc_stable,testuafdocument1.pdf
      and testuafdocument2.pdf are viewed.
      see crbug.com/487928 and crbug.com/487928#c18 for more details.

Review URL: https://codereview.chromium.org/1163823002
fpdfsdk/src/javascript/Document.cpp