diff options
| author | Henrique Nakashima <hnakashima@chromium.org> | 2018-07-24 20:25:45 +0000 |
|---|---|---|
| committer | Chromium commit bot <commit-bot@chromium.org> | 2018-07-24 20:25:45 +0000 |
| commit | 36b2059cae7fc851c9f35babd35ec82a7a5d9694 (patch) | |
| tree | 244a0e4b80ae31c9459cd73d80bd71b1166bb35e | |
| parent | 315f94a0961792ec08428c94105caf3d8637acd1 (diff) | |
| download | pdfium-chromium/3502.tar.xz | |
Fix UAF in CPDFSDK_Widget::GetMixXFAWidget().chromium/3502
Do not allow instanceManager methods to run in Foreground XFA forms.
They are static, and their widgets should not be inserted or removed.
See "XML Forms Architecture (XFA) Specification Version 3.3", page 272.
Bug: chromium:860697
Change-Id: Ia96834e085ee508618ca4dcb2bd5271466369ede
Reviewed-on: https://pdfium-review.googlesource.com/38751
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: Henrique Nakashima <hnakashima@chromium.org>
| -rw-r--r-- | fxjs/xfa/cjx_instancemanager.cpp | 21 | ||||
| -rw-r--r-- | xfa/fxfa/parser/cxfa_document.cpp | 4 | ||||
| -rw-r--r-- | xfa/fxfa/parser/cxfa_document.h | 1 |
3 files changed, 26 insertions, 0 deletions
diff --git a/fxjs/xfa/cjx_instancemanager.cpp b/fxjs/xfa/cjx_instancemanager.cpp index f44ccba588..0882a182b2 100644 --- a/fxjs/xfa/cjx_instancemanager.cpp +++ b/fxjs/xfa/cjx_instancemanager.cpp @@ -12,6 +12,7 @@ #include "fxjs/cfxjse_engine.h" #include "fxjs/cfxjse_value.h" #include "fxjs/js_resources.h" +#include "xfa/fxfa/cxfa_ffdoc.h" #include "xfa/fxfa/cxfa_ffnotify.h" #include "xfa/fxfa/parser/cxfa_document.h" #include "xfa/fxfa/parser/cxfa_instancemanager.h" @@ -135,6 +136,10 @@ int32_t CJX_InstanceManager::MoveInstance(int32_t iTo, int32_t iFrom) { CJS_Return CJX_InstanceManager::moveInstance( CFX_V8* runtime, const std::vector<v8::Local<v8::Value>>& params) { + CXFA_Document* doc = static_cast<CFXJSE_Engine*>(runtime)->GetDocument(); + if (doc->GetFormType() != FormType::kXFAFull) + return CJS_Return(JSGetStringFromID(JSMessage::kNotSupportedError)); + if (params.size() != 2) return CJS_Return(JSGetStringFromID(JSMessage::kParamError)); @@ -162,6 +167,10 @@ CJS_Return CJX_InstanceManager::moveInstance( CJS_Return CJX_InstanceManager::removeInstance( CFX_V8* runtime, const std::vector<v8::Local<v8::Value>>& params) { + CXFA_Document* doc = static_cast<CFXJSE_Engine*>(runtime)->GetDocument(); + if (doc->GetFormType() != FormType::kXFAFull) + return CJS_Return(JSGetStringFromID(JSMessage::kNotSupportedError)); + if (params.size() != 1) return CJS_Return(JSGetStringFromID(JSMessage::kParamError)); @@ -202,6 +211,10 @@ CJS_Return CJX_InstanceManager::removeInstance( CJS_Return CJX_InstanceManager::setInstances( CFX_V8* runtime, const std::vector<v8::Local<v8::Value>>& params) { + CXFA_Document* doc = static_cast<CFXJSE_Engine*>(runtime)->GetDocument(); + if (doc->GetFormType() != FormType::kXFAFull) + return CJS_Return(JSGetStringFromID(JSMessage::kNotSupportedError)); + if (params.size() != 1) return CJS_Return(JSGetStringFromID(JSMessage::kParamError)); @@ -212,6 +225,10 @@ CJS_Return CJX_InstanceManager::setInstances( CJS_Return CJX_InstanceManager::addInstance( CFX_V8* runtime, const std::vector<v8::Local<v8::Value>>& params) { + CXFA_Document* doc = static_cast<CFXJSE_Engine*>(runtime)->GetDocument(); + if (doc->GetFormType() != FormType::kXFAFull) + return CJS_Return(JSGetStringFromID(JSMessage::kNotSupportedError)); + if (!params.empty() && params.size() != 1) return CJS_Return(JSGetStringFromID(JSMessage::kParamError)); @@ -253,6 +270,10 @@ CJS_Return CJX_InstanceManager::addInstance( CJS_Return CJX_InstanceManager::insertInstance( CFX_V8* runtime, const std::vector<v8::Local<v8::Value>>& params) { + CXFA_Document* doc = static_cast<CFXJSE_Engine*>(runtime)->GetDocument(); + if (doc->GetFormType() != FormType::kXFAFull) + return CJS_Return(JSGetStringFromID(JSMessage::kNotSupportedError)); + if (params.size() != 1 && params.size() != 2) return CJS_Return(JSGetStringFromID(JSMessage::kParamError)); diff --git a/xfa/fxfa/parser/cxfa_document.cpp b/xfa/fxfa/parser/cxfa_document.cpp index 5ed1d7f3ec..5a85482b17 100644 --- a/xfa/fxfa/parser/cxfa_document.cpp +++ b/xfa/fxfa/parser/cxfa_document.cpp @@ -1478,6 +1478,10 @@ XFA_VERSION CXFA_Document::RecognizeXFAVersionNumber( return eVersion; } +FormType CXFA_Document::GetFormType() const { + return GetNotify()->GetHDOC()->GetFormType(); +} + CXFA_Node* CXFA_Document::GetNodeByID(CXFA_Node* pRoot, const WideStringView& wsID) const { if (!pRoot || wsID.IsEmpty()) diff --git a/xfa/fxfa/parser/cxfa_document.h b/xfa/fxfa/parser/cxfa_document.h index 795da004cc..8bddcb2035 100644 --- a/xfa/fxfa/parser/cxfa_document.h +++ b/xfa/fxfa/parser/cxfa_document.h @@ -79,6 +79,7 @@ class CXFA_Document : public CXFA_NodeOwner { bool IsInteractive(); XFA_VERSION GetCurVersionMode() { return m_eCurVersionMode; } XFA_VERSION RecognizeXFAVersionNumber(const WideString& wsTemplateNS); + FormType GetFormType() const; CXFA_Node* CreateNode(XFA_PacketType packet, XFA_Element eElement); |