[Backport] CVE-2020-16002: Use after free in PDFium.v5.12.10

Manual backport of patch originally reviewed on https://pdfium-review.googlesource.com/c/pdfium/+/75090: Reverse order of CPWL_ListCtrl and CPWL_List_Notify cleanup (Speculative) fix for the crash in 1137630, since it only reproduces sporadically on my system, but hasn't re-occured since applying the patch. Bug: chromium:1137630 Change-Id: I4f52c7109eca00dfa8faee9bc6341cd94c25b60c Reviewed-by: Michal Klocek <michal.klocek@qt.io>
author: Tom Sepez <tsepez@chromium.org> 2020-10-14 17:20:54 +0000
committer: Michael Brüning <michael.bruning@qt.io> 2020-10-22 11:31:41 +0000
commit: 92253f4cc04b8fddd238e2fc9309d8c33c8bdc05 (patch)
tree: 385ca4a106ca882100c6b4066f9b12094ff32325
parent: 6475589b7edc2f70f1b9fd4c1cf49b39d82b267b (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/chromium/third_party/pdfium/fpdfsdk/pwl/cpwl_list_box.h b/chromium/third_party/pdfium/fpdfsdk/pwl/cpwl_list_box.h
index 0371ba1b54b..af6b23a1d05 100644
--- a/chromium/third_party/pdfium/fpdfsdk/pwl/cpwl_list_box.h
+++ b/chromium/third_party/pdfium/fpdfsdk/pwl/cpwl_list_box.h
@@ -93,8 +93,8 @@ class CPWL_ListBox : public CPWL_Wnd {
   void AttachFFLData(CFFL_FormFiller* pData) { m_pFormFiller = pData; }
 
  protected:
+  std::unique_ptr<CPWL_List_Notify> m_pListNotify; // Must outlive |m_pList|.
   std::unique_ptr<CPWL_ListCtrl> m_pList;
-  std::unique_ptr<CPWL_List_Notify> m_pListNotify;
   bool m_bMouseDown;
   bool m_bHoverSel;
   UnownedPtr<IPWL_Filler_Notify> m_pFillerNotify;
author	Tom Sepez <tsepez@chromium.org>	2020-10-14 17:20:54 +0000
committer	Michael Brüning <michael.bruning@qt.io>	2020-10-22 11:31:41 +0000
commit	92253f4cc04b8fddd238e2fc9309d8c33c8bdc05 (patch)
tree	385ca4a106ca882100c6b4066f9b12094ff32325
parent	6475589b7edc2f70f1b9fd4c1cf49b39d82b267b (diff)