commit c62aa207e9acb919c33df5f3694fe159619dda86
author Tom Sepez <tsepez@chromium.org> Mon Jul 23 23:12:14 2018 +0000
committer Chromium commit bot <commit-bot@chromium.org> Mon Jul 23 23:12:14 2018 +0000
tree 8584f29b95261d6504e5a88679c12140928b22a1
parent 1116ef0b1c45a4968d45a21d995193a7670126b3

Tighten up ThisProxy casts.

Previous CLs have shown that the "lpClass" checks aren't sufficient
here, so ensure we are always checking C++ enum value before
downcasting this type.

Change-Id: I418127c5e7131e0a3363363a60d1976719d6837c
Reviewed-on: https://pdfium-review.googlesource.com/38550
Reviewed-by: Lei Zhang <thestig@chromium.org>
Commit-Queue: Tom Sepez <tsepez@chromium.org>

fxjs/cfxjse_engine.cpp

diff --git a/fxjs/cfxjse_engine.cpp b/fxjs/cfxjse_engine.cpp
index 3efe335..c5cc89a 100644
--- a/fxjs/cfxjse_engine.cpp
+++ b/fxjs/cfxjse_engine.cpp
@@ -66,7 +66,10 @@
 const char kFormCalcRuntime[] = "pfm_rt";
 
 CXFA_ThisProxy* ToThisProxy(CFXJSE_Value* pValue) {
-  return static_cast<CXFA_ThisProxy*>(pValue->ToHostObject());
+  CFXJSE_HostObject* pHostObject = pValue->ToHostObject();
+  if (!pHostObject)
+    return nullptr;
+  return CXFA_ThisProxy::FromCXFAObject(pHostObject->AsCXFAObject());
 }
 
 }  // namespace
@@ -470,10 +473,10 @@
 
 CXFA_Object* CFXJSE_Engine::GetVariablesThis(CXFA_Object* pObject,
                                              bool bScriptNode) {
-  if (!pObject->IsVariablesThis())
+  CXFA_ThisProxy* pProxy = CXFA_ThisProxy::FromCXFAObject(pObject);
+  if (!pProxy)
     return pObject;
 
-  CXFA_ThisProxy* pProxy = static_cast<CXFA_ThisProxy*>(pObject);
   return bScriptNode ? pProxy->GetScriptNode() : pProxy->GetThisNode();
 }
 

xfa/fxfa/parser/cxfa_thisproxy.cpp

diff --git a/xfa/fxfa/parser/cxfa_thisproxy.cpp b/xfa/fxfa/parser/cxfa_thisproxy.cpp
index 314c98c..a3593e9 100644
--- a/xfa/fxfa/parser/cxfa_thisproxy.cpp
+++ b/xfa/fxfa/parser/cxfa_thisproxy.cpp
@@ -10,6 +10,12 @@
 #include "third_party/base/ptr_util.h"
 #include "xfa/fxfa/parser/cxfa_node.h"
 
+// static
+CXFA_ThisProxy* CXFA_ThisProxy::FromCXFAObject(CXFA_Object* that) {
+  return that && that->IsVariablesThis() ? static_cast<CXFA_ThisProxy*>(that)
+                                         : nullptr;
+}
+
 CXFA_ThisProxy::CXFA_ThisProxy(CXFA_Node* pThisNode, CXFA_Node* pScriptNode)
     : CXFA_Object(pThisNode->GetDocument(),
                   XFA_ObjectType::VariablesThis,
@@ -19,4 +25,4 @@
       m_pThisNode(pThisNode),
       m_pScriptNode(pScriptNode) {}
 
-CXFA_ThisProxy::~CXFA_ThisProxy() {}
+CXFA_ThisProxy::~CXFA_ThisProxy() = default;

xfa/fxfa/parser/cxfa_thisproxy.h

diff --git a/xfa/fxfa/parser/cxfa_thisproxy.h b/xfa/fxfa/parser/cxfa_thisproxy.h
index 197a97d..e86a6b5 100644
--- a/xfa/fxfa/parser/cxfa_thisproxy.h
+++ b/xfa/fxfa/parser/cxfa_thisproxy.h
@@ -13,6 +13,8 @@
 
 class CXFA_ThisProxy : public CXFA_Object {
  public:
+  static CXFA_ThisProxy* FromCXFAObject(CXFA_Object* that);
+
   CXFA_ThisProxy(CXFA_Node* pThisNode, CXFA_Node* pScriptNode);
   ~CXFA_ThisProxy() override;