diff options
| author | tsepez <tsepez@chromium.org> | 2016-06-09 09:32:44 -0700 |
|---|---|---|
| committer | Commit bot <commit-bot@chromium.org> | 2016-06-09 09:32:44 -0700 |
| commit | 2334e9e583799a8cb2dfefb3c7e15c5a7da8ead0 (patch) | |
| tree | bf0391385c463d722a8896e1367df40940fdf8cf | |
| parent | 9e077d288016ac796fef18c27cd0851c0a07ff86 (diff) | |
| download | pdfium-2334e9e583799a8cb2dfefb3c7e15c5a7da8ead0.tar.xz | |
Fix crash in CXFA_Node::TryUserData() (speculative)
Fix is speculative because I can't repro locally, but I know the
current code is wrong.
I fixed this intially in https://codereview.chromium.org/2015143005/
I then broke it again in https://codereview.chromium.org/2019333006/
There is another spot where we are still casting through void*, and
the CXFA_Node*'s alignment is getting messed up when it fails to adjust
for it's vtable. Using CFXJSE_HostObject consistently avoids the issue.
Adding a virtual dtor to CFXJSE_HostObject might skirt the issue, but
I want to be able to wrap simple objects without that penalty if
desired.
BUG=616339
Review-Url: https://codereview.chromium.org/2055473004
| -rw-r--r-- | xfa/fxjse/cfxjse_arguments.h | 3 | ||||
| -rw-r--r-- | xfa/fxjse/class.cpp | 3 | ||||
| -rw-r--r-- | xfa/fxjse/include/fxjse.h | 6 |
3 files changed, 9 insertions, 3 deletions
diff --git a/xfa/fxjse/cfxjse_arguments.h b/xfa/fxjse/cfxjse_arguments.h index fd83f8e7f4..7091f8dea6 100644 --- a/xfa/fxjse/cfxjse_arguments.h +++ b/xfa/fxjse/cfxjse_arguments.h @@ -26,7 +26,8 @@ class CFXJSE_Arguments { int32_t GetInt32(int32_t index) const; FX_FLOAT GetFloat(int32_t index) const; CFX_ByteString GetUTF8String(int32_t index) const; - void* GetObject(int32_t index, CFXJSE_Class* pClass = nullptr) const; + CFXJSE_HostObject* GetObject(int32_t index, + CFXJSE_Class* pClass = nullptr) const; CFXJSE_Value* GetReturnValue(); private: diff --git a/xfa/fxjse/class.cpp b/xfa/fxjse/class.cpp index bd589453f2..e9d67d8cda 100644 --- a/xfa/fxjse/class.cpp +++ b/xfa/fxjse/class.cpp @@ -147,7 +147,8 @@ CFX_ByteString CFXJSE_Arguments::GetUTF8String(int32_t index) const { return CFX_ByteString(*szStringVal); } -void* CFXJSE_Arguments::GetObject(int32_t index, CFXJSE_Class* pClass) const { +CFXJSE_HostObject* CFXJSE_Arguments::GetObject(int32_t index, + CFXJSE_Class* pClass) const { v8::Local<v8::Value> hValue = (*m_pInfo)[index]; ASSERT(!hValue.IsEmpty()); if (!hValue->IsObject()) diff --git a/xfa/fxjse/include/fxjse.h b/xfa/fxjse/include/fxjse.h index d7c85f54e8..8f30faac30 100644 --- a/xfa/fxjse/include/fxjse.h +++ b/xfa/fxjse/include/fxjse.h @@ -14,7 +14,11 @@ class CFXJSE_Arguments; class CFXJSE_Value; -class CFXJSE_HostObject {}; // C++ object which can be wrapped by CFXJSE_value. +// C++ object which can be wrapped by CFXJSE_value. +class CFXJSE_HostObject { + public: + virtual ~CFXJSE_HostObject() {} +}; typedef void (*FXJSE_FuncCallback)(CFXJSE_Value* pThis, const CFX_ByteStringC& szFuncName, |