Ensure pProtoNode is a template in CJX_Object::ScriptAttributeString.
Malformed documents may result in other nodes being found here. In
turn, beef up the test harness to handle null returns in a few places.
Bug: chromium:1327884
Change-Id: I5139d2c4041908123b8317ab826352c3430d05d7
Reviewed-on: https://pdfium-review.googlesource.com/c/pdfium/+/94010
Reviewed-by: Lei Zhang <thestig@chromium.org>
Commit-Queue: Tom Sepez <tsepez@chromium.org>
diff --git a/fxjs/BUILD.gn b/fxjs/BUILD.gn
index fa20e38..da1ac55 100644
--- a/fxjs/BUILD.gn
+++ b/fxjs/BUILD.gn
@@ -287,6 +287,7 @@
"xfa/cfxjse_value_embeddertest.cpp",
"xfa/cjx_hostpseudomodel_embeddertest.cpp",
"xfa/cjx_list_embeddertest.cpp",
+ "xfa/cjx_object_embeddertest.cpp",
]
deps += [
":gc",
diff --git a/fxjs/xfa/cjx_object.cpp b/fxjs/xfa/cjx_object.cpp
index bbd5a25..f06fe1b 100644
--- a/fxjs/xfa/cjx_object.cpp
+++ b/fxjs/xfa/cjx_object.cpp
@@ -1031,7 +1031,7 @@
} else if (!wsID.IsEmpty()) {
pProtoNode = GetDocument()->GetNodeByID(pProtoRoot, wsID.AsStringView());
}
- if (!pProtoNode)
+ if (!pProtoNode || pProtoNode->GetPacketType() != XFA_PacketType::Template)
return;
CXFA_Node* pHeadChild = GetXFANode()->GetFirstChild();
diff --git a/fxjs/xfa/cjx_object_embeddertest.cpp b/fxjs/xfa/cjx_object_embeddertest.cpp
new file mode 100644
index 0000000..4a7185e
--- /dev/null
+++ b/fxjs/xfa/cjx_object_embeddertest.cpp
@@ -0,0 +1,15 @@
+// Copyright 2022 PDFium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "fxjs/xfa/cjx_object.h"
+
+#include "testing/gtest/include/gtest/gtest.h"
+#include "testing/xfa_js_embedder_test.h"
+
+class CJX_ObjectEmbedderTest : public XFAJSEmbedderTest {};
+
+// Should not crash, but document is not valid.
+TEST_F(CJX_ObjectEmbedderTest, BUG_1327884) {
+ ASSERT_FALSE(OpenDocument("bug_1327884.pdf"));
+}
diff --git a/testing/resources/bug_1327884.pdf b/testing/resources/bug_1327884.pdf
new file mode 100644
index 0000000..0e28c06
--- /dev/null
+++ b/testing/resources/bug_1327884.pdf
@@ -0,0 +1,6 @@
+%PDF
+1 0 obj<</Pages 2 0 R/AcroForm<</XFA 30 0 R>>>>2 0 obj<</>
+30 0 obj<<>>stream
+<xdp xmlns="http://ns.adobe.com/xdp/"><con0ig><acrobat><acrobat0></acrobat0></acrobat></con0ig><template><desc e=""use=" .[use="*"]"
+endobj
+trailer<</Root 1 0 R>>
\ No newline at end of file
diff --git a/testing/xfa_js_embedder_test.cpp b/testing/xfa_js_embedder_test.cpp
index b3bd582..b15f8f4 100644
--- a/testing/xfa_js_embedder_test.cpp
+++ b/testing/xfa_js_embedder_test.cpp
@@ -40,7 +40,11 @@
if (!pContext)
return nullptr;
- return pContext->GetXFADoc()->GetXFADoc();
+ CXFA_FFDoc* pFFDoc = pContext->GetXFADoc();
+ if (!pFFDoc)
+ return nullptr;
+
+ return pFFDoc->GetXFADoc();
}
v8::Local<v8::Value> XFAJSEmbedderTest::GetValue() const {
@@ -58,7 +62,11 @@
filename, password, linearize_option, javascript_option)) {
return false;
}
- script_context_ = GetXFADocument()->GetScriptContext();
+ CXFA_Document* pDoc = GetXFADocument();
+ if (!pDoc)
+ return false;
+
+ script_context_ = pDoc->GetScriptContext();
return true;
}
