diff options
author | Tom Sepez <tsepez@chromium.org> | 2018-07-17 00:12:56 +0000 |
---|---|---|
committer | Chromium commit bot <commit-bot@chromium.org> | 2018-07-17 00:12:56 +0000 |
commit | ff402c2c4ce8ae8690959262ca731d5cc6bd7015 (patch) | |
tree | c486df05d082943433a63292ae458d987773c005 /fxjs/cfxjs_engine.cpp | |
parent | 82999fa9d685638561efc6df2c8370c7e7f47676 (diff) | |
download | pdfium-ff402c2c4ce8ae8690959262ca731d5cc6bd7015.tar.xz |
Check for global flag on global proxy objects.
Second line of defense for issue in the associated bug.
Bug: chromium:862059
Change-Id: I58ba890dfe02c89dd6bcfa23e2e116e107f9adbc
Reviewed-on: https://pdfium-review.googlesource.com/37991
Commit-Queue: Tom Sepez <tsepez@chromium.org>
Reviewed-by: Lei Zhang <thestig@chromium.org>
Diffstat (limited to 'fxjs/cfxjs_engine.cpp')
-rw-r--r-- | fxjs/cfxjs_engine.cpp | 38 |
1 files changed, 27 insertions, 11 deletions
diff --git a/fxjs/cfxjs_engine.cpp b/fxjs/cfxjs_engine.cpp index 1a02ec9a78..8587b8af98 100644 --- a/fxjs/cfxjs_engine.cpp +++ b/fxjs/cfxjs_engine.cpp @@ -586,17 +586,33 @@ void CFXJS_Engine::Error(const WideString& message) { // static CJS_Object* CFXJS_Engine::GetObjectPrivate(v8::Local<v8::Object> pObj) { - CFXJS_PerObjectData* pData = CFXJS_PerObjectData::GetFromObject(pObj); - if (!pData && !pObj.IsEmpty()) { - // It could be a global proxy object. - v8::Local<v8::Value> v = pObj->GetPrototype(); - if (v->IsObject()) { - pData = CFXJS_PerObjectData::GetFromObject( - v->ToObject(v8::Isolate::GetCurrent()->GetCurrentContext()) - .ToLocalChecked()); - } - } - return pData ? pData->m_pPrivate.get() : nullptr; + auto* pData = CFXJS_PerObjectData::GetFromObject(pObj); + if (pData) + return pData->m_pPrivate.get(); + + if (pObj.IsEmpty()) + return nullptr; + + // It could be a global proxy object, in which case the prototype holds + // the actual bound object. + v8::Local<v8::Value> val = pObj->GetPrototype(); + if (!val->IsObject()) + return nullptr; + + auto* pProtoData = CFXJS_PerObjectData::GetFromObject(val.As<v8::Object>()); + if (!pProtoData) + return nullptr; + + auto* pIsolateData = FXJS_PerIsolateData::Get(v8::Isolate::GetCurrent()); + if (!pIsolateData) + return nullptr; + + CFXJS_ObjDefinition* pObjDef = + pIsolateData->ObjDefinitionForID(pProtoData->m_ObjDefID); + if (!pObjDef || pObjDef->m_ObjType != FXJSOBJTYPE_GLOBAL) + return nullptr; + + return pProtoData->m_pPrivate.get(); } v8::Local<v8::Array> CFXJS_Engine::GetConstArray(const WideString& name) { |