From c62aa207e9acb919c33df5f3694fe159619dda86 Mon Sep 17 00:00:00 2001
From: Tom Sepez <tsepez@chromium.org>
Date: Mon, 23 Jul 2018 23:12:14 +0000
Subject: Tighten up ThisProxy casts.

Previous CLs have shown that the "lpClass" checks aren't sufficient
here, so ensure we are always checking C++ enum value before
downcasting this type.

Change-Id: I418127c5e7131e0a3363363a60d1976719d6837c
Reviewed-on: https://pdfium-review.googlesource.com/38550
Reviewed-by: Lei Zhang <thestig@chromium.org>
Commit-Queue: Tom Sepez <tsepez@chromium.org>
---
 fxjs/cfxjse_engine.cpp             | 9 ++++++---
 xfa/fxfa/parser/cxfa_thisproxy.cpp | 8 +++++++-
 xfa/fxfa/parser/cxfa_thisproxy.h   | 2 ++
 3 files changed, 15 insertions(+), 4 deletions(-)

diff --git a/fxjs/cfxjse_engine.cpp b/fxjs/cfxjse_engine.cpp
index 3efe335d67..c5cc89a8d0 100644
--- a/fxjs/cfxjse_engine.cpp
+++ b/fxjs/cfxjse_engine.cpp
@@ -66,7 +66,10 @@ namespace {
 const char kFormCalcRuntime[] = "pfm_rt";
 
 CXFA_ThisProxy* ToThisProxy(CFXJSE_Value* pValue) {
-  return static_cast<CXFA_ThisProxy*>(pValue->ToHostObject());
+  CFXJSE_HostObject* pHostObject = pValue->ToHostObject();
+  if (!pHostObject)
+    return nullptr;
+  return CXFA_ThisProxy::FromCXFAObject(pHostObject->AsCXFAObject());
 }
 
 }  // namespace
@@ -470,10 +473,10 @@ CFXJSE_Context* CFXJSE_Engine::CreateVariablesContext(CXFA_Node* pScriptNode,
 
 CXFA_Object* CFXJSE_Engine::GetVariablesThis(CXFA_Object* pObject,
                                              bool bScriptNode) {
-  if (!pObject->IsVariablesThis())
+  CXFA_ThisProxy* pProxy = CXFA_ThisProxy::FromCXFAObject(pObject);
+  if (!pProxy)
     return pObject;
 
-  CXFA_ThisProxy* pProxy = static_cast<CXFA_ThisProxy*>(pObject);
   return bScriptNode ? pProxy->GetScriptNode() : pProxy->GetThisNode();
 }
 
diff --git a/xfa/fxfa/parser/cxfa_thisproxy.cpp b/xfa/fxfa/parser/cxfa_thisproxy.cpp
index 314c98c9f0..a3593e99b5 100644
--- a/xfa/fxfa/parser/cxfa_thisproxy.cpp
+++ b/xfa/fxfa/parser/cxfa_thisproxy.cpp
@@ -10,6 +10,12 @@
 #include "third_party/base/ptr_util.h"
 #include "xfa/fxfa/parser/cxfa_node.h"
 
+// static
+CXFA_ThisProxy* CXFA_ThisProxy::FromCXFAObject(CXFA_Object* that) {
+  return that && that->IsVariablesThis() ? static_cast<CXFA_ThisProxy*>(that)
+                                         : nullptr;
+}
+
 CXFA_ThisProxy::CXFA_ThisProxy(CXFA_Node* pThisNode, CXFA_Node* pScriptNode)
     : CXFA_Object(pThisNode->GetDocument(),
                   XFA_ObjectType::VariablesThis,
@@ -19,4 +25,4 @@ CXFA_ThisProxy::CXFA_ThisProxy(CXFA_Node* pThisNode, CXFA_Node* pScriptNode)
       m_pThisNode(pThisNode),
       m_pScriptNode(pScriptNode) {}
 
-CXFA_ThisProxy::~CXFA_ThisProxy() {}
+CXFA_ThisProxy::~CXFA_ThisProxy() = default;
diff --git a/xfa/fxfa/parser/cxfa_thisproxy.h b/xfa/fxfa/parser/cxfa_thisproxy.h
index 197a97da67..e86a6b5534 100644
--- a/xfa/fxfa/parser/cxfa_thisproxy.h
+++ b/xfa/fxfa/parser/cxfa_thisproxy.h
@@ -13,6 +13,8 @@
 
 class CXFA_ThisProxy : public CXFA_Object {
  public:
+  static CXFA_ThisProxy* FromCXFAObject(CXFA_Object* that);
+
   CXFA_ThisProxy(CXFA_Node* pThisNode, CXFA_Node* pScriptNode);
   ~CXFA_ThisProxy() override;
 
-- 
cgit v1.2.3