Fix a fatal error due to cloning a global document object

BUG=454595
R=tsepez@chromium.org

Review URL: https://codereview.chromium.org/1053373002

3 files changed, 36 insertions, 14 deletions

diff --git a/fpdfsdk/src/javascript/Document.cpp b/fpdfsdk/src/javascript/Document.cpp
index b1a2ad7688..f823d8084f 100644
--- a/fpdfsdk/src/javascript/Document.cpp
+++ b/fpdfsdk/src/javascript/Document.cpp
@@ -1947,3 +1947,9 @@ void Document::DoAnnotDelay()
 		m_DelayData.RemoveAt(DelArray[j]);
 	}
 }
+
+CJS_Document* Document::GetCJSDoc() const 
+{
+	return static_cast<CJS_Document*>(m_pJSObject);
+}
+
diff --git a/fpdfsdk/src/javascript/Field.cpp b/fpdfsdk/src/javascript/Field.cpp
index 771b3660ec..85b7d12c3f 100644
--- a/fpdfsdk/src/javascript/Field.cpp
+++ b/fpdfsdk/src/javascript/Field.cpp
@@ -1500,26 +1500,22 @@ void Field::SetDisplay(CPDFSDK_Document* pDocument, const CFX_WideString& swFiel
 
 FX_BOOL Field::doc(IFXJS_Context* cc, CJS_PropValue& vp, CFX_WideString& sError)
 {
-	ASSERT(m_pJSDoc != NULL);
-
-	if (!vp.IsGetting())return FALSE;
-
-	vp << (CJS_Object*)(*m_pJSDoc);
-
+	if (!vp.IsGetting()) {
+		return FALSE;
+	}
+	vp << m_pJSDoc->GetCJSDoc();
 	return TRUE;
 }
 
 FX_BOOL Field::editable(IFXJS_Context* cc, CJS_PropValue& vp, CFX_WideString& sError)
 {
 	ASSERT(m_pDocument != NULL);
-
 	if (vp.IsSetting())
 	{
 		if (!m_bCanSet) return FALSE;
 
 		bool bVP;
 		vp >> bVP;
-
 	}
 	else
 	{
diff --git a/fpdfsdk/src/javascript/JS_Value.cpp b/fpdfsdk/src/javascript/JS_Value.cpp
index 9279ff5db4..6292b8d042 100644
--- a/fpdfsdk/src/javascript/JS_Value.cpp
+++ b/fpdfsdk/src/javascript/JS_Value.cpp
@@ -202,6 +202,14 @@ void CJS_Value::operator =(CJS_Object * pObj)
 		operator = ((JSFXObject)*pObj);
 }
 
+void CJS_Value::operator = (CJS_Document* pJsDoc)
+{
+	m_eType = VT_object;
+	if (pJsDoc) {
+		m_pValue = static_cast<JSFXObject>(*pJsDoc);
+	}
+}
+
 void CJS_Value::operator =(FX_LPCWSTR pWstr)
 {
 	m_pValue = JS_NewString(m_isolate,(wchar_t *)pWstr);
@@ -344,7 +352,7 @@ void CJS_PropValue::operator <<(bool bValue)
 	CJS_Value::operator =(bValue);
 }
 
-void CJS_PropValue::operator >>(bool &bValue) const
+void CJS_PropValue::operator >>(bool& bValue) const
 {
 	ASSERT(m_bIsSetting);
 	bValue = CJS_Value::operator bool();
@@ -357,24 +365,36 @@ void CJS_PropValue::operator <<(double dValue)
 	CJS_Value::operator =(dValue);
 }
 
-void CJS_PropValue::operator >>(double &dValue) const
+void CJS_PropValue::operator >>(double& dValue) const
 {
 	ASSERT(m_bIsSetting);
 	dValue = CJS_Value::operator double();
 }
 
-void CJS_PropValue::operator <<(CJS_Object *pObj)
+void CJS_PropValue::operator <<(CJS_Object* pObj)
 {
-	ASSERT(!m_bIsSetting);
+	ASSERT(!m_bIsSetting)
 	CJS_Value::operator = (pObj);
 }
 
-void CJS_PropValue::operator >>(CJS_Object *&ppObj) const
+void CJS_PropValue::operator >>(CJS_Object*& ppObj) const
 {
-	ASSERT(m_bIsSetting);
+	ASSERT(m_bIsSetting)
 	ppObj = CJS_Value::operator CJS_Object *();
 }
 
+void CJS_PropValue::operator <<(CJS_Document* pJsDoc)
+{
+	ASSERT(!m_bIsSetting);
+	CJS_Value::operator = (pJsDoc);
+}
+
+void CJS_PropValue::operator >>(CJS_Document*& ppJsDoc) const
+{
+	ASSERT(m_bIsSetting);
+	ppJsDoc = static_cast<CJS_Document*>(CJS_Value::operator CJS_Object *());
+}
+
 void CJS_PropValue::operator<<(JSFXObject pObj)
 {
 	ASSERT(!m_bIsSetting);