Avoid uninitialized internal fields in V8 global objects.

V8 won't do this for us when it creates a global object under the
covers off of a template with a non-zero internal field count, instead
just leaving it uninitialized. We were careful to set the iternal
fields on the object we explicitly create, but there are these
implicitly created ones as part of making a new context that need
to be handled as well.

BUG: pdfium:1005
Change-Id: Ic40bafc206ec5119cbceb58f0bb725693e7ddf80
Reviewed-on: https://pdfium-review.googlesource.com/29910
Reviewed-by: dsinclair <dsinclair@chromium.org>
Commit-Queue: Tom Sepez <tsepez@chromium.org>

3 files changed, 31 insertions, 1 deletions

diff --git a/fxjs/cfxjs_engine.cpp b/fxjs/cfxjs_engine.cpp
index 54aa28cf4b..5def57e992 100644
--- a/fxjs/cfxjs_engine.cpp
+++ b/fxjs/cfxjs_engine.cpp
@@ -437,6 +437,19 @@ void CFXJS_Engine::InitializeEngine() {
 
   v8::Local<v8::Context> v8Context = v8::Context::New(
       GetIsolate(), nullptr, GetGlobalObjectTemplate(GetIsolate()));
+
+  // May not have the internal fields when called from tests.
+  v8::Local<v8::Object> pThisProxy = v8Context->Global();
+  if (pThisProxy->InternalFieldCount() == 2) {
+    pThisProxy->SetAlignedPointerInInternalField(0, nullptr);
+    pThisProxy->SetAlignedPointerInInternalField(1, nullptr);
+  }
+  v8::Local<v8::Object> pThis = pThisProxy->GetPrototype().As<v8::Object>();
+  if (pThis->InternalFieldCount() == 2) {
+    pThis->SetAlignedPointerInInternalField(0, nullptr);
+    pThis->SetAlignedPointerInInternalField(1, nullptr);
+  }
+
   v8::Context::Scope context_scope(v8Context);
   SetIntoContext(v8Context);
 
diff --git a/fxjs/cfxjse_context.cpp b/fxjs/cfxjse_context.cpp
index d12758de2a..03bcc4d6ab 100644
--- a/fxjs/cfxjse_context.cpp
+++ b/fxjs/cfxjse_context.cpp
@@ -187,6 +187,16 @@ std::unique_ptr<CFXJSE_Context> CFXJSE_Context::Create(
   v8::Local<v8::Context> hNewContext =
       v8::Context::New(pIsolate, nullptr, hObjectTemplate);
 
+  v8::Local<v8::Object> pThisProxy = hNewContext->Global();
+  ASSERT(pThisProxy->InternalFieldCount() == 2);
+  pThisProxy->SetAlignedPointerInInternalField(0, nullptr);
+  pThisProxy->SetAlignedPointerInInternalField(1, nullptr);
+
+  v8::Local<v8::Object> pThis = pThisProxy->GetPrototype().As<v8::Object>();
+  ASSERT(pThis->InternalFieldCount() == 2);
+  pThis->SetAlignedPointerInInternalField(0, nullptr);
+  pThis->SetAlignedPointerInInternalField(1, nullptr);
+
   v8::Local<v8::Context> hRootContext = v8::Local<v8::Context>::New(
       pIsolate, CFXJSE_RuntimeData::Get(pIsolate)->m_hRootContext);
   hNewContext->SetSecurityToken(hRootContext->GetSecurityToken());
diff --git a/fxjs/cfxjse_runtimedata.cpp b/fxjs/cfxjse_runtimedata.cpp
index 0153e81a6c..540bcb084e 100644
--- a/fxjs/cfxjse_runtimedata.cpp
+++ b/fxjs/cfxjse_runtimedata.cpp
@@ -24,6 +24,7 @@ std::unique_ptr<CFXJSE_RuntimeData> CFXJSE_RuntimeData::Create(
 
   v8::Local<v8::FunctionTemplate> hFuncTemplate =
       v8::FunctionTemplate::New(pIsolate);
+
   v8::Local<v8::ObjectTemplate> hGlobalTemplate =
       hFuncTemplate->InstanceTemplate();
   hGlobalTemplate->Set(
@@ -33,8 +34,14 @@ std::unique_ptr<CFXJSE_RuntimeData> CFXJSE_RuntimeData::Create(
 
   v8::Local<v8::Context> hContext =
       v8::Context::New(pIsolate, 0, hGlobalTemplate);
-  hContext->SetSecurityToken(v8::External::New(pIsolate, pIsolate));
 
+  ASSERT(hContext->Global()->InternalFieldCount() == 0);
+  ASSERT(hContext->Global()
+             ->GetPrototype()
+             .As<v8::Object>()
+             ->InternalFieldCount() == 0);
+
+  hContext->SetSecurityToken(v8::External::New(pIsolate, pIsolate));
   pRuntimeData->m_hRootContextGlobalTemplate.Reset(pIsolate, hFuncTemplate);
   pRuntimeData->m_hRootContext.Reset(pIsolate, hContext);
   return pRuntimeData;