From ff402c2c4ce8ae8690959262ca731d5cc6bd7015 Mon Sep 17 00:00:00 2001
From: Tom Sepez <tsepez@chromium.org>
Date: Tue, 17 Jul 2018 00:12:56 +0000
Subject: Check for global flag on global proxy objects.

Second line of defense for issue in the associated bug.

Bug: chromium:862059
Change-Id: I58ba890dfe02c89dd6bcfa23e2e116e107f9adbc
Reviewed-on: https://pdfium-review.googlesource.com/37991
Commit-Queue: Tom Sepez <tsepez@chromium.org>
Reviewed-by: Lei Zhang <thestig@chromium.org>
---
 fxjs/cfxjs_engine.cpp | 38 +++++++++++++++++++++++++++-----------
 1 file changed, 27 insertions(+), 11 deletions(-)

(limited to 'fxjs/cfxjs_engine.cpp')

diff --git a/fxjs/cfxjs_engine.cpp b/fxjs/cfxjs_engine.cpp
index 1a02ec9a78..8587b8af98 100644
--- a/fxjs/cfxjs_engine.cpp
+++ b/fxjs/cfxjs_engine.cpp
@@ -586,17 +586,33 @@ void CFXJS_Engine::Error(const WideString& message) {
 
 // static
 CJS_Object* CFXJS_Engine::GetObjectPrivate(v8::Local<v8::Object> pObj) {
-  CFXJS_PerObjectData* pData = CFXJS_PerObjectData::GetFromObject(pObj);
-  if (!pData && !pObj.IsEmpty()) {
-    // It could be a global proxy object.
-    v8::Local<v8::Value> v = pObj->GetPrototype();
-    if (v->IsObject()) {
-      pData = CFXJS_PerObjectData::GetFromObject(
-          v->ToObject(v8::Isolate::GetCurrent()->GetCurrentContext())
-              .ToLocalChecked());
-    }
-  }
-  return pData ? pData->m_pPrivate.get() : nullptr;
+  auto* pData = CFXJS_PerObjectData::GetFromObject(pObj);
+  if (pData)
+    return pData->m_pPrivate.get();
+
+  if (pObj.IsEmpty())
+    return nullptr;
+
+  // It could be a global proxy object, in which case the prototype holds
+  // the actual bound object.
+  v8::Local<v8::Value> val = pObj->GetPrototype();
+  if (!val->IsObject())
+    return nullptr;
+
+  auto* pProtoData = CFXJS_PerObjectData::GetFromObject(val.As<v8::Object>());
+  if (!pProtoData)
+    return nullptr;
+
+  auto* pIsolateData = FXJS_PerIsolateData::Get(v8::Isolate::GetCurrent());
+  if (!pIsolateData)
+    return nullptr;
+
+  CFXJS_ObjDefinition* pObjDef =
+      pIsolateData->ObjDefinitionForID(pProtoData->m_ObjDefID);
+  if (!pObjDef || pObjDef->m_ObjType != FXJSOBJTYPE_GLOBAL)
+    return nullptr;
+
+  return pProtoData->m_pPrivate.get();
 }
 
 v8::Local<v8::Array> CFXJS_Engine::GetConstArray(const WideString& name) {
-- 
cgit v1.2.3