diff options
| author | Tom Sepez <tsepez@chromium.org> | 2017-02-24 15:31:12 -0800 |
|---|---|---|
| committer | Chromium commit bot <commit-bot@chromium.org> | 2017-02-27 18:57:39 +0000 |
| commit | c5a1472ec5a809ff524c8888ac5884498801d06f (patch) | |
| tree | 0097a8358dd5954fb48f4b2a48ea921a22a300ca /testing | |
| parent | 73c9f3bb3d82563d6d4496c4b0204d5c0825e8a2 (diff) | |
| download | pdfium-c5a1472ec5a809ff524c8888ac5884498801d06f.tar.xz | |
Fix uninitialized memory read in CJS_Object::GetEmbedObject()
The expected way to create native PDFium objects for JS is via
the NewFxDynamicObject() call in C++, but that doesn't mean that the
corresponding constructors won't be called from JS. In that case,
the internal fields will be uninitialized, and subsequent method
calls may try to use them.
Add a constructor callback for all PDFium objects that nulls out
these fields (shame that v8 doesn't do this by default, but probably
saves some cycles). Then ensure that we check for this possibility
in all the places it might turn up.
Conversely, if we've just gotten a successful return from
NewFxDynamicObject(), we know the CJS_Object/EmbedObj are good,
so avoid checking there.
BUG=695826
Change-Id: Iadad644c4af937def967ddc83daac1dad7544d69
Reviewed-on: https://pdfium-review.googlesource.com/2839
Reviewed-by: dsinclair <dsinclair@chromium.org>
Commit-Queue: Tom Sepez <tsepez@chromium.org>
Diffstat (limited to 'testing')
| -rw-r--r-- | testing/resources/javascript/bug_695826.in | 47 | ||||
| -rw-r--r-- | testing/resources/javascript/bug_695826_expected.txt | 1 |
2 files changed, 48 insertions, 0 deletions
diff --git a/testing/resources/javascript/bug_695826.in b/testing/resources/javascript/bug_695826.in new file mode 100644 index 0000000000..b20908bc79 --- /dev/null +++ b/testing/resources/javascript/bug_695826.in @@ -0,0 +1,47 @@ +{{header}} +{{object 1 0}} << + /Type /Catalog + /Pages 2 0 R + /OpenAction 10 0 R +>> +endobj +{{object 2 0}} << + /Type /Pages + /Count 1 + /Kids [ + 3 0 R + ] +>> +endobj +% Page number 0. +{{object 3 0}} << + /Type /Page + /Parent 2 0 R + /Resources << + /Font <</F1 15 0 R>> + >> + /Contents [21 0 R] + /MediaBox [0 0 612 792] +>> +% OpenAction action +{{object 10 0}} << + /Type /Action + /S /JavaScript + /JS 11 0 R +>> +endobj +% JS program to exexute +{{object 11 0}} << +>> +stream +var obj = new this.constructor; +obj.author = 3; +app.alert('Done!'); +endstream +endobj +{{xref}} +trailer << + /Root 1 0 R +>> +{{startxref}} +%%EOF diff --git a/testing/resources/javascript/bug_695826_expected.txt b/testing/resources/javascript/bug_695826_expected.txt new file mode 100644 index 0000000000..5bb6e85966 --- /dev/null +++ b/testing/resources/javascript/bug_695826_expected.txt @@ -0,0 +1 @@ +Alert: Done! |