diff options
| author | Henrique Nakashima <hnakashima@chromium.org> | 2018-07-24 20:25:45 +0000 |
|---|---|---|
| committer | Chromium commit bot <commit-bot@chromium.org> | 2018-07-24 20:25:45 +0000 |
| commit | 36b2059cae7fc851c9f35babd35ec82a7a5d9694 (patch) | |
| tree | 244a0e4b80ae31c9459cd73d80bd71b1166bb35e /fxjs/xfa | |
| parent | 315f94a0961792ec08428c94105caf3d8637acd1 (diff) | |
| download | pdfium-36b2059cae7fc851c9f35babd35ec82a7a5d9694.tar.xz | |
Fix UAF in CPDFSDK_Widget::GetMixXFAWidget().chromium/3502
Do not allow instanceManager methods to run in Foreground XFA forms.
They are static, and their widgets should not be inserted or removed.
See "XML Forms Architecture (XFA) Specification Version 3.3", page 272.
Bug: chromium:860697
Change-Id: Ia96834e085ee508618ca4dcb2bd5271466369ede
Reviewed-on: https://pdfium-review.googlesource.com/38751
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: Henrique Nakashima <hnakashima@chromium.org>
Diffstat (limited to 'fxjs/xfa')
| -rw-r--r-- | fxjs/xfa/cjx_instancemanager.cpp | 21 |
1 files changed, 21 insertions, 0 deletions
diff --git a/fxjs/xfa/cjx_instancemanager.cpp b/fxjs/xfa/cjx_instancemanager.cpp index f44ccba588..0882a182b2 100644 --- a/fxjs/xfa/cjx_instancemanager.cpp +++ b/fxjs/xfa/cjx_instancemanager.cpp @@ -12,6 +12,7 @@ #include "fxjs/cfxjse_engine.h" #include "fxjs/cfxjse_value.h" #include "fxjs/js_resources.h" +#include "xfa/fxfa/cxfa_ffdoc.h" #include "xfa/fxfa/cxfa_ffnotify.h" #include "xfa/fxfa/parser/cxfa_document.h" #include "xfa/fxfa/parser/cxfa_instancemanager.h" @@ -135,6 +136,10 @@ int32_t CJX_InstanceManager::MoveInstance(int32_t iTo, int32_t iFrom) { CJS_Return CJX_InstanceManager::moveInstance( CFX_V8* runtime, const std::vector<v8::Local<v8::Value>>& params) { + CXFA_Document* doc = static_cast<CFXJSE_Engine*>(runtime)->GetDocument(); + if (doc->GetFormType() != FormType::kXFAFull) + return CJS_Return(JSGetStringFromID(JSMessage::kNotSupportedError)); + if (params.size() != 2) return CJS_Return(JSGetStringFromID(JSMessage::kParamError)); @@ -162,6 +167,10 @@ CJS_Return CJX_InstanceManager::moveInstance( CJS_Return CJX_InstanceManager::removeInstance( CFX_V8* runtime, const std::vector<v8::Local<v8::Value>>& params) { + CXFA_Document* doc = static_cast<CFXJSE_Engine*>(runtime)->GetDocument(); + if (doc->GetFormType() != FormType::kXFAFull) + return CJS_Return(JSGetStringFromID(JSMessage::kNotSupportedError)); + if (params.size() != 1) return CJS_Return(JSGetStringFromID(JSMessage::kParamError)); @@ -202,6 +211,10 @@ CJS_Return CJX_InstanceManager::removeInstance( CJS_Return CJX_InstanceManager::setInstances( CFX_V8* runtime, const std::vector<v8::Local<v8::Value>>& params) { + CXFA_Document* doc = static_cast<CFXJSE_Engine*>(runtime)->GetDocument(); + if (doc->GetFormType() != FormType::kXFAFull) + return CJS_Return(JSGetStringFromID(JSMessage::kNotSupportedError)); + if (params.size() != 1) return CJS_Return(JSGetStringFromID(JSMessage::kParamError)); @@ -212,6 +225,10 @@ CJS_Return CJX_InstanceManager::setInstances( CJS_Return CJX_InstanceManager::addInstance( CFX_V8* runtime, const std::vector<v8::Local<v8::Value>>& params) { + CXFA_Document* doc = static_cast<CFXJSE_Engine*>(runtime)->GetDocument(); + if (doc->GetFormType() != FormType::kXFAFull) + return CJS_Return(JSGetStringFromID(JSMessage::kNotSupportedError)); + if (!params.empty() && params.size() != 1) return CJS_Return(JSGetStringFromID(JSMessage::kParamError)); @@ -253,6 +270,10 @@ CJS_Return CJX_InstanceManager::addInstance( CJS_Return CJX_InstanceManager::insertInstance( CFX_V8* runtime, const std::vector<v8::Local<v8::Value>>& params) { + CXFA_Document* doc = static_cast<CFXJSE_Engine*>(runtime)->GetDocument(); + if (doc->GetFormType() != FormType::kXFAFull) + return CJS_Return(JSGetStringFromID(JSMessage::kNotSupportedError)); + if (params.size() != 1 && params.size() != 2) return CJS_Return(JSGetStringFromID(JSMessage::kParamError)); |