From fb7021ce035587c460c0ed91584ca05999e60ddd Mon Sep 17 00:00:00 2001
From: Tom Sepez <tsepez@chromium.org>
Date: Wed, 31 May 2017 10:29:25 -0700
Subject: Be less trusting of MaybeLocal<> return types from V8 To* methods.

Calling ToLocalChecked() will crash otherwise.

Bug: 707673
Change-Id: I66a5b36d8cf1710a725e30c2d14a195d08ef25a4
Reviewed-on: https://pdfium-review.googlesource.com/6130
Reviewed-by: dsinclair <dsinclair@chromium.org>
Commit-Queue: Tom Sepez <tsepez@chromium.org>
---
 fpdfsdk/fpdfformfill_embeddertest.cpp |  18 ++++++++++++++++++
 fxjs/fxjs_v8.cpp                      |  20 ++++++++++++++++----
 testing/resources/bug_707673.pdf      | Bin 0 -> 33762 bytes
 3 files changed, 34 insertions(+), 4 deletions(-)
 create mode 100644 testing/resources/bug_707673.pdf

diff --git a/fpdfsdk/fpdfformfill_embeddertest.cpp b/fpdfsdk/fpdfformfill_embeddertest.cpp
index 631a6a2e7c..8718a43d83 100644
--- a/fpdfsdk/fpdfformfill_embeddertest.cpp
+++ b/fpdfsdk/fpdfformfill_embeddertest.cpp
@@ -201,6 +201,24 @@ TEST_F(FPDFFormFillEmbeddertest, BUG_679649) {
   EXPECT_EQ(0u, alerts.size());
 }
 
+TEST_F(FPDFFormFillEmbeddertest, BUG_707673) {
+  EmbedderTestTimerHandlingDelegate delegate;
+  SetDelegate(&delegate);
+
+  EXPECT_TRUE(OpenDocument("bug_707673.pdf"));
+  FPDF_PAGE page = LoadPage(0);
+  EXPECT_TRUE(page);
+
+  DoOpenActions();
+  FORM_OnLButtonDown(form_handle(), page, 0, 140, 590);
+  FORM_OnLButtonUp(form_handle(), page, 0, 140, 590);
+  delegate.AdvanceTime(1000);
+  UnloadPage(page);
+
+  const auto& alerts = delegate.GetAlerts();
+  EXPECT_EQ(0u, alerts.size());
+}
+
 #endif  // PDF_ENABLE_V8
 
 TEST_F(FPDFFormFillEmbeddertest, FormText) {
diff --git a/fxjs/fxjs_v8.cpp b/fxjs/fxjs_v8.cpp
index 7f5e5cb8b5..ce7dc50e63 100644
--- a/fxjs/fxjs_v8.cpp
+++ b/fxjs/fxjs_v8.cpp
@@ -701,28 +701,40 @@ int CFXJS_Engine::ToInt32(v8::Local<v8::Value> pValue) {
   if (pValue.IsEmpty())
     return 0;
   v8::Local<v8::Context> context = m_isolate->GetCurrentContext();
-  return pValue->ToInt32(context).ToLocalChecked()->Value();
+  v8::MaybeLocal<v8::Int32> maybe_int32 = pValue->ToInt32(context);
+  if (maybe_int32.IsEmpty())
+    return 0;
+  return maybe_int32.ToLocalChecked()->Value();
 }
 
 bool CFXJS_Engine::ToBoolean(v8::Local<v8::Value> pValue) {
   if (pValue.IsEmpty())
     return false;
   v8::Local<v8::Context> context = m_isolate->GetCurrentContext();
-  return pValue->ToBoolean(context).ToLocalChecked()->Value();
+  v8::MaybeLocal<v8::Boolean> maybe_boolean = pValue->ToBoolean(context);
+  if (maybe_boolean.IsEmpty())
+    return false;
+  return maybe_boolean.ToLocalChecked()->Value();
 }
 
 double CFXJS_Engine::ToDouble(v8::Local<v8::Value> pValue) {
   if (pValue.IsEmpty())
     return 0.0;
   v8::Local<v8::Context> context = m_isolate->GetCurrentContext();
-  return pValue->ToNumber(context).ToLocalChecked()->Value();
+  v8::MaybeLocal<v8::Number> maybe_number = pValue->ToNumber(context);
+  if (maybe_number.IsEmpty())
+    return 0.0;
+  return maybe_number.ToLocalChecked()->Value();
 }
 
 CFX_WideString CFXJS_Engine::ToWideString(v8::Local<v8::Value> pValue) {
   if (pValue.IsEmpty())
     return CFX_WideString();
   v8::Local<v8::Context> context = m_isolate->GetCurrentContext();
-  v8::String::Utf8Value s(pValue->ToString(context).ToLocalChecked());
+  v8::MaybeLocal<v8::String> maybe_string = pValue->ToString(context);
+  if (maybe_string.IsEmpty())
+    return CFX_WideString();
+  v8::String::Utf8Value s(maybe_string.ToLocalChecked());
   return CFX_WideString::FromUTF8(CFX_ByteStringC(*s, s.length()));
 }
 
diff --git a/testing/resources/bug_707673.pdf b/testing/resources/bug_707673.pdf
new file mode 100644
index 0000000000..4f412bc735
Binary files /dev/null and b/testing/resources/bug_707673.pdf differ
-- 
cgit v1.2.3