From 125eb3093a4632ee519041201ca904680f3a2245 Mon Sep 17 00:00:00 2001
From: Tom Sepez <tsepez@chromium.org>
Date: Fri, 27 Jul 2018 21:17:06 +0000
Subject: Tag XFA data bound to V8 Objects.

Because we don't want to trust anything V8 gives us back.
Use a deep namespace so we can have a short declaration in the
structs, but avoid collisions.

Change-Id: Ibb832a5dcd34c652159c3343dd70c9e2ee561537
Reviewed-on: https://pdfium-review.googlesource.com/38972
Reviewed-by: Lei Zhang <thestig@chromium.org>
Commit-Queue: Tom Sepez <tsepez@chromium.org>
---
 fxjs/cfxjse_class.cpp | 50 ++++++++++++++++++++++++++++++++++----------------
 1 file changed, 34 insertions(+), 16 deletions(-)

(limited to 'fxjs/cfxjse_class.cpp')

diff --git a/fxjs/cfxjse_class.cpp b/fxjs/cfxjse_class.cpp
index 67186ff66f..e7e54c8867 100644
--- a/fxjs/cfxjse_class.cpp
+++ b/fxjs/cfxjse_class.cpp
@@ -16,13 +16,25 @@
 #include "fxjs/js_resources.h"
 #include "third_party/base/ptr_util.h"
 
+using pdfium::fxjse::kFuncTag;
+using pdfium::fxjse::kClassTag;
+
 namespace {
 
+FXJSE_FUNCTION_DESCRIPTOR* AsFunctionDescriptor(void* ptr) {
+  auto* result = static_cast<FXJSE_FUNCTION_DESCRIPTOR*>(ptr);
+  return result && result->tag == kFuncTag ? result : nullptr;
+}
+
+FXJSE_CLASS_DESCRIPTOR* AsClassDescriptor(void* ptr) {
+  auto* result = static_cast<FXJSE_CLASS_DESCRIPTOR*>(ptr);
+  return result && result->tag == kClassTag ? result : nullptr;
+}
+
 void V8FunctionCallback_Wrapper(
     const v8::FunctionCallbackInfo<v8::Value>& info) {
   const FXJSE_FUNCTION_DESCRIPTOR* lpFunctionInfo =
-      static_cast<FXJSE_FUNCTION_DESCRIPTOR*>(
-          info.Data().As<v8::External>()->Value());
+      AsFunctionDescriptor(info.Data().As<v8::External>()->Value());
   if (!lpFunctionInfo)
     return;
 
@@ -42,8 +54,7 @@ void V8ConstructorCallback_Wrapper(
     return;
 
   const FXJSE_CLASS_DESCRIPTOR* lpClassDefinition =
-      static_cast<FXJSE_CLASS_DESCRIPTOR*>(
-          info.Data().As<v8::External>()->Value());
+      AsClassDescriptor(info.Data().As<v8::External>()->Value());
   if (!lpClassDefinition)
     return;
 
@@ -54,8 +65,8 @@ void V8ConstructorCallback_Wrapper(
 
 void Context_GlobalObjToString(
     const v8::FunctionCallbackInfo<v8::Value>& info) {
-  const FXJSE_CLASS_DESCRIPTOR* lpClass = static_cast<FXJSE_CLASS_DESCRIPTOR*>(
-      info.Data().As<v8::External>()->Value());
+  const FXJSE_CLASS_DESCRIPTOR* lpClass =
+      AsClassDescriptor(info.Data().As<v8::External>()->Value());
   if (!lpClass)
     return;
 
@@ -178,11 +189,13 @@ void NamedPropertyQueryCallback(
     v8::Local<v8::Name> property,
     const v8::PropertyCallbackInfo<v8::Integer>& info) {
   v8::Local<v8::Object> thisObject = info.Holder();
-  const FXJSE_CLASS_DESCRIPTOR* lpClass = static_cast<FXJSE_CLASS_DESCRIPTOR*>(
-      info.Data().As<v8::External>()->Value());
-  v8::Isolate* pIsolate = info.GetIsolate();
-  v8::HandleScope scope(pIsolate);
-  v8::String::Utf8Value szPropName(pIsolate, property);
+  const FXJSE_CLASS_DESCRIPTOR* lpClass =
+      AsClassDescriptor(info.Data().As<v8::External>()->Value());
+  if (!lpClass)
+    return;
+
+  v8::HandleScope scope(info.GetIsolate());
+  v8::String::Utf8Value szPropName(info.GetIsolate(), property);
   ByteStringView szFxPropName(*szPropName, szPropName.length());
   auto lpThisValue = pdfium::MakeUnique<CFXJSE_Value>(info.GetIsolate());
   lpThisValue->ForceSetValue(thisObject);
@@ -198,8 +211,11 @@ void NamedPropertyGetterCallback(
     v8::Local<v8::Name> property,
     const v8::PropertyCallbackInfo<v8::Value>& info) {
   v8::Local<v8::Object> thisObject = info.Holder();
-  const FXJSE_CLASS_DESCRIPTOR* lpClass = static_cast<FXJSE_CLASS_DESCRIPTOR*>(
-      info.Data().As<v8::External>()->Value());
+  const FXJSE_CLASS_DESCRIPTOR* lpClass =
+      AsClassDescriptor(info.Data().As<v8::External>()->Value());
+  if (!lpClass)
+    return;
+
   v8::String::Utf8Value szPropName(info.GetIsolate(), property);
   ByteStringView szFxPropName(*szPropName, szPropName.length());
   auto lpThisValue = pdfium::MakeUnique<CFXJSE_Value>(info.GetIsolate());
@@ -215,13 +231,15 @@ void NamedPropertySetterCallback(
     v8::Local<v8::Value> value,
     const v8::PropertyCallbackInfo<v8::Value>& info) {
   v8::Local<v8::Object> thisObject = info.Holder();
-  const FXJSE_CLASS_DESCRIPTOR* lpClass = static_cast<FXJSE_CLASS_DESCRIPTOR*>(
-      info.Data().As<v8::External>()->Value());
+  const FXJSE_CLASS_DESCRIPTOR* lpClass =
+      AsClassDescriptor(info.Data().As<v8::External>()->Value());
+  if (!lpClass)
+    return;
+
   v8::String::Utf8Value szPropName(info.GetIsolate(), property);
   ByteStringView szFxPropName(*szPropName, szPropName.length());
   auto lpThisValue = pdfium::MakeUnique<CFXJSE_Value>(info.GetIsolate());
   lpThisValue->ForceSetValue(thisObject);
-
   auto lpNewValue = pdfium::MakeUnique<CFXJSE_Value>(info.GetIsolate());
   lpNewValue->ForceSetValue(value);
   DynPropSetterAdapter(lpClass, lpThisValue.get(), szFxPropName,
-- 
cgit v1.2.3