Fix an unsafe access in PDFiumEngine::ExtendSelection().
Avoid references for vector elements when the vector can change. BUG=956230 Change-Id: I9864ba6e176bd162965aae32c88de5e69a0d60f1 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1584934 Commit-Queue: Lei Zhang <thestig@chromium.org> Reviewed-by: Tom Sepez <tsepez@chromium.org> Cr-Commit-Position: refs/heads/master@{#654523}
This commit is contained in:
Lei Zhang
@ -1734,9 +1734,8 @@ bool PDFiumEngine::ExtendSelection(int page_index, int char_index) {
|
||||
if (selection_.empty())
|
||||
return false;
|
||||
|
||||
PDFiumRange& last_selection = selection_.back();
|
||||
const int last_page_index = last_selection.page_index();
|
||||
const int last_char_index = last_selection.char_index();
|
||||
const int last_page_index = selection_.back().page_index();
|
||||
const int last_char_index = selection_.back().char_index();
|
||||
if (last_page_index == page_index) {
|
||||
// Selecting within a page.
|
||||
int count = char_index - last_char_index;
|
||||
@ -1746,10 +1745,15 @@ bool PDFiumEngine::ExtendSelection(int page_index, int char_index) {
|
||||
} else {
|
||||
--count;
|
||||
}
|
||||
last_selection.SetCharCount(count);
|
||||
selection_.back().SetCharCount(count);
|
||||
} else if (last_page_index < page_index) {
|
||||
// Selecting into the next page.
|
||||
|
||||
// Save the current last selection for use below.
|
||||
// Warning: Do not use references / pointers into |selection_|, as the code
|
||||
// below can modify |selection_| and invalidate those references / pointers.
|
||||
const size_t last_selection_index = selection_.size() - 1;
|
||||
|
||||
// First make sure that there are no gaps in selection, i.e. if mousedown on
|
||||
// page one but we only get mousemove over page three, we want page two.
|
||||
for (int i = last_page_index + 1; i < page_index; ++i) {
|
||||
@ -1758,14 +1762,14 @@ bool PDFiumEngine::ExtendSelection(int page_index, int char_index) {
|
||||
}
|
||||
|
||||
int count = pages_[last_page_index]->GetCharCount();
|
||||
last_selection.SetCharCount(count - last_char_index);
|
||||
selection_[last_selection_index].SetCharCount(count - last_char_index);
|
||||
selection_.push_back(PDFiumRange(pages_[page_index].get(), 0, char_index));
|
||||
} else {
|
||||
// Selecting into the previous page.
|
||||
// The selection's char_index is 0-based, so the character count is one
|
||||
// more than the index. The character count needs to be negative to
|
||||
// indicate a backwards selection.
|
||||
last_selection.SetCharCount(-last_char_index - 1);
|
||||
selection_.back().SetCharCount(-last_char_index - 1);
|
||||
|
||||
// First make sure that there are no gaps in selection, i.e. if mousedown on
|
||||
// page three but we only get mousemove over page one, we want page two.
|
||||
|
||||
Reference in New Issue
Block a user