From 4f4603cc1b498bca3b1619006137e50ce80088c1 Mon Sep 17 00:00:00 2001 From: Tom Sepez Date: Tue, 10 Nov 2015 15:03:12 -0800 Subject: Segv when PDF-side JS object property getter invoked from XFA. The PDF-side native objects require that the current v8 context has been set-up to point at the state (via CJS_Runtime) for the getters, setters, and methods to operate against. XFA doesn't supply a context with that state, so at the first opportunity for a PDF-side object to be leaked to XFA, set up the context to mimic the PDF side. Changed FXJS_GetRuntimeFromIsolate() to FXJS_GetRuntimeFromV8Context() for consistency with the newly added method. BUG=pdfium:266 R=jochen@chromium.org Review URL: https://codereview.chromium.org/1412103010 . --- fpdfsdk/src/javascript/JS_Define.h | 27 ++++++++++++++------------- fpdfsdk/src/javascript/JS_Runtime.cpp | 12 ++++++++++-- fpdfsdk/src/jsapi/fxjs_v8.cpp | 12 ++++++++---- 3 files changed, 32 insertions(+), 19 deletions(-) (limited to 'fpdfsdk/src') diff --git a/fpdfsdk/src/javascript/JS_Define.h b/fpdfsdk/src/javascript/JS_Define.h index 3ebd07518e..b097aaa63f 100644 --- a/fpdfsdk/src/javascript/JS_Define.h +++ b/fpdfsdk/src/javascript/JS_Define.h @@ -78,8 +78,8 @@ void JSPropGetter(const char* prop_name_string, v8::Local property, const v8::PropertyCallbackInfo& info) { v8::Isolate* isolate = info.GetIsolate(); - CJS_Runtime* pRuntime = - static_cast(FXJS_GetRuntimeFromIsolate(isolate)); + CJS_Runtime* pRuntime = static_cast( + FXJS_GetRuntimeFromV8Context(isolate->GetCurrentContext())); if (!pRuntime) return; IJS_Context* pContext = pRuntime->GetCurrentContext(); @@ -104,8 +104,8 @@ void JSPropSetter(const char* prop_name_string, v8::Local value, const v8::PropertyCallbackInfo& info) { v8::Isolate* isolate = info.GetIsolate(); - CJS_Runtime* pRuntime = - static_cast(FXJS_GetRuntimeFromIsolate(isolate)); + CJS_Runtime* pRuntime = static_cast( + FXJS_GetRuntimeFromV8Context(isolate->GetCurrentContext())); if (!pRuntime) return; IJS_Context* pContext = pRuntime->GetCurrentContext(); @@ -143,8 +143,8 @@ void JSMethod(const char* method_name_string, const char* class_name_string, const v8::FunctionCallbackInfo& info) { v8::Isolate* isolate = info.GetIsolate(); - CJS_Runtime* pRuntime = - static_cast(FXJS_GetRuntimeFromIsolate(isolate)); + CJS_Runtime* pRuntime = static_cast( + FXJS_GetRuntimeFromV8Context(isolate->GetCurrentContext())); if (!pRuntime) return; IJS_Context* pContext = pRuntime->GetCurrentContext(); @@ -366,8 +366,8 @@ void JSSpecialPropGet(const char* class_name, v8::Local property, const v8::PropertyCallbackInfo& info) { v8::Isolate* isolate = info.GetIsolate(); - CJS_Runtime* pRuntime = - static_cast(FXJS_GetRuntimeFromIsolate(isolate)); + CJS_Runtime* pRuntime = static_cast( + FXJS_GetRuntimeFromV8Context(isolate->GetCurrentContext())); if (!pRuntime) return; IJS_Context* pContext = pRuntime->GetCurrentContext(); @@ -393,8 +393,8 @@ void JSSpecialPropPut(const char* class_name, v8::Local value, const v8::PropertyCallbackInfo& info) { v8::Isolate* isolate = info.GetIsolate(); - CJS_Runtime* pRuntime = - static_cast(FXJS_GetRuntimeFromIsolate(isolate)); + CJS_Runtime* pRuntime = static_cast( + FXJS_GetRuntimeFromV8Context(isolate->GetCurrentContext())); if (!pRuntime) return; IJS_Context* pContext = pRuntime->GetCurrentContext(); @@ -417,7 +417,8 @@ void JSSpecialPropDel(const char* class_name, v8::Local property, const v8::PropertyCallbackInfo& info) { v8::Isolate* isolate = info.GetIsolate(); - IJS_Runtime* pRuntime = FXJS_GetRuntimeFromIsolate(isolate); + IJS_Runtime* pRuntime = + FXJS_GetRuntimeFromV8Context(isolate->GetCurrentContext()); if (!pRuntime) return; IJS_Context* pContext = pRuntime->GetCurrentContext(); @@ -439,8 +440,8 @@ template void JSGlobalFunc(const char* func_name_string, const v8::FunctionCallbackInfo& info) { - CJS_Runtime* pRuntime = - static_cast(FXJS_GetRuntimeFromIsolate(info.GetIsolate())); + CJS_Runtime* pRuntime = static_cast( + FXJS_GetRuntimeFromV8Context(info.GetIsolate()->GetCurrentContext())); if (!pRuntime) return; IJS_Context* pContext = pRuntime->GetCurrentContext(); diff --git a/fpdfsdk/src/javascript/JS_Runtime.cpp b/fpdfsdk/src/javascript/JS_Runtime.cpp index 8b0475b851..ecb53d2d72 100644 --- a/fpdfsdk/src/javascript/JS_Runtime.cpp +++ b/fpdfsdk/src/javascript/JS_Runtime.cpp @@ -245,12 +245,20 @@ FX_BOOL CJS_Runtime::GetHValueByName(const CFX_ByteStringC& utf8Name, v8::Locker lock(GetIsolate()); v8::Isolate::Scope isolate_scope(GetIsolate()); v8::HandleScope handle_scope(GetIsolate()); + v8::Local old_context = GetIsolate()->GetCurrentContext(); v8::Local context = v8::Local::New(GetIsolate(), m_context); v8::Context::Scope context_scope(context); - // v8::Local tmpCotext = - // v8::Local::New(GetIsolate(), m_context); + // Caution: We're about to hand to XFA an object that in order to invoke + // methods will require that the current v8::Context always has a pointer + // to a CJS_Runtime in its embedder data slot. Unfortunately, XFA creates + // its own v8::Context which has not initialized the embedder data slot. + // Do so now. + // TODO(tsepez): redesign PDF-side objects to not rely on v8::Context's + // embedder data slots, and/or to always use the right context. + FXJS_SetRuntimeForV8Context(old_context, this); + v8::Local propvalue = context->Global()->Get(v8::String::NewFromUtf8( GetIsolate(), name, v8::String::kNormalString, utf8Name.GetLength())); diff --git a/fpdfsdk/src/jsapi/fxjs_v8.cpp b/fpdfsdk/src/jsapi/fxjs_v8.cpp index 2ff515d0ab..3413d72bb3 100644 --- a/fpdfsdk/src/jsapi/fxjs_v8.cpp +++ b/fpdfsdk/src/jsapi/fxjs_v8.cpp @@ -287,7 +287,7 @@ void FXJS_InitializeRuntime(v8::Isolate* pIsolate, v8::Context::Scope context_scope(v8Context); FXJS_PerIsolateData::SetUp(pIsolate); - v8Context->SetAlignedPointerInEmbedderData(kPerContextDataIndex, pIRuntime); + FXJS_SetRuntimeForV8Context(v8Context, pIRuntime); int maxID = CFXJS_ObjDefinition::MaxID(pIsolate); for (int i = 0; i < maxID; ++i) { @@ -361,10 +361,14 @@ void FXJS_ReleaseRuntime(v8::Isolate* pIsolate, delete pData; } -IJS_Runtime* FXJS_GetRuntimeFromIsolate(v8::Isolate* pIsolate) { - v8::Local context = pIsolate->GetCurrentContext(); +void FXJS_SetRuntimeForV8Context(v8::Local v8Context, + IJS_Runtime* pIRuntime) { + v8Context->SetAlignedPointerInEmbedderData(kPerContextDataIndex, pIRuntime); +} + +IJS_Runtime* FXJS_GetRuntimeFromV8Context(v8::Local v8Context) { return static_cast( - context->GetAlignedPointerFromEmbedderData(kPerContextDataIndex)); + v8Context->GetAlignedPointerFromEmbedderData(kPerContextDataIndex)); } int FXJS_Execute(v8::Isolate* pIsolate, -- cgit v1.2.3