Tag CFXJSE_HostObject sub-classes.

CXFA_FM2JSContext and CXFA_Object both subclass CFXJSE_HostObject.
When a CFXJSE_HostObject is obtained from an opaque pointer inside
a V8 object internal slot, there is no way to distinguish one from
the other.

Bug: 728158
Change-Id: Iabc648e8b7226e2819d8795227442c3f6c61a793
Reviewed-on: https://pdfium-review.googlesource.com/6211
Reviewed-by: Lei Zhang <thestig@chromium.org>
Commit-Queue: Tom Sepez <tsepez@chromium.org>

2 files changed, 6 insertions, 2 deletions

diff --git a/xfa/fxfa/parser/cxfa_object.cpp b/xfa/fxfa/parser/cxfa_object.cpp
index 8dd35cd245..32aed5de1b 100644
--- a/xfa/fxfa/parser/cxfa_object.cpp
+++ b/xfa/fxfa/parser/cxfa_object.cpp
@@ -17,7 +17,8 @@ CXFA_Object::CXFA_Object(CXFA_Document* pDocument,
                          XFA_ObjectType objectType,
                          XFA_Element elementType,
                          const CFX_WideStringC& elementName)
-    : m_pDocument(pDocument),
+    : CFXJSE_HostObject(kXFA),
+      m_pDocument(pDocument),
       m_objectType(objectType),
       m_elementType(elementType),
       m_elementNameHash(FX_HashCode_GetW(elementName, false)),
diff --git a/xfa/fxfa/parser/cxfa_scriptcontext.cpp b/xfa/fxfa/parser/cxfa_scriptcontext.cpp
index 2100299616..fcf22442f1 100644
--- a/xfa/fxfa/parser/cxfa_scriptcontext.cpp
+++ b/xfa/fxfa/parser/cxfa_scriptcontext.cpp
@@ -115,7 +115,10 @@ const XFA_METHODINFO* GetMethodByName(XFA_Element eElement,
 // static.
 CXFA_Object* CXFA_ScriptContext::ToObject(CFXJSE_Value* pValue,
                                           CFXJSE_Class* pClass) {
-  return static_cast<CXFA_Object*>(pValue->ToHostObject(pClass));
+  CFXJSE_HostObject* pHostObj = pValue->ToHostObject(pClass);
+  if (!pHostObj || pHostObj->type() != CFXJSE_HostObject::kXFA)
+    return nullptr;
+  return static_cast<CXFA_Object*>(pHostObj);
 }
 
 CXFA_ScriptContext::CXFA_ScriptContext(CXFA_Document* pDocument)