Segv when PDF-side JS object property getter invoked from XFA.
The PDF-side native objects require that the current v8 context
has been set-up to point at the state (via CJS_Runtime) for the
getters, setters, and methods to operate against. XFA doesn't
supply a context with that state, so at the first opportunity for
a PDF-side object to be leaked to XFA, set up the context to mimic
the PDF side.
Changed FXJS_GetRuntimeFromIsolate() to FXJS_GetRuntimeFromV8Context()
for consistency with the newly added method.
BUG=pdfium:266
R=jochen@chromium.org
Review URL: https://codereview.chromium.org/1412103010 .
diff --git a/fpdfsdk/include/jsapi/fxjs_v8.h b/fpdfsdk/include/jsapi/fxjs_v8.h
index 7051840..001823f 100644
--- a/fpdfsdk/include/jsapi/fxjs_v8.h
+++ b/fpdfsdk/include/jsapi/fxjs_v8.h
@@ -133,7 +133,13 @@
v8::Global<v8::Context>& v8PersistentContext);
void FXJS_ReleaseRuntime(v8::Isolate* pIsolate,
v8::Global<v8::Context>& v8PersistentContext);
-IJS_Runtime* FXJS_GetRuntimeFromIsolate(v8::Isolate* pIsolate);
+
+// Called as part of FXJS_InitializeRuntime, exposed so PDF can make its
+// own contexts compatible with XFA or vice versa.
+void FXJS_SetRuntimeForV8Context(v8::Local<v8::Context> v8Context,
+ IJS_Runtime* pIRuntime);
+
+IJS_Runtime* FXJS_GetRuntimeFromV8Context(v8::Local<v8::Context> v8Context);
// Called after FXJS_InitializeRuntime call made.
int FXJS_Execute(v8::Isolate* pIsolate,
diff --git a/fpdfsdk/src/javascript/JS_Define.h b/fpdfsdk/src/javascript/JS_Define.h
index 3ebd075..b097aaa 100644
--- a/fpdfsdk/src/javascript/JS_Define.h
+++ b/fpdfsdk/src/javascript/JS_Define.h
@@ -78,8 +78,8 @@
v8::Local<v8::String> property,
const v8::PropertyCallbackInfo<v8::Value>& info) {
v8::Isolate* isolate = info.GetIsolate();
- CJS_Runtime* pRuntime =
- static_cast<CJS_Runtime*>(FXJS_GetRuntimeFromIsolate(isolate));
+ CJS_Runtime* pRuntime = static_cast<CJS_Runtime*>(
+ FXJS_GetRuntimeFromV8Context(isolate->GetCurrentContext()));
if (!pRuntime)
return;
IJS_Context* pContext = pRuntime->GetCurrentContext();
@@ -104,8 +104,8 @@
v8::Local<v8::Value> value,
const v8::PropertyCallbackInfo<void>& info) {
v8::Isolate* isolate = info.GetIsolate();
- CJS_Runtime* pRuntime =
- static_cast<CJS_Runtime*>(FXJS_GetRuntimeFromIsolate(isolate));
+ CJS_Runtime* pRuntime = static_cast<CJS_Runtime*>(
+ FXJS_GetRuntimeFromV8Context(isolate->GetCurrentContext()));
if (!pRuntime)
return;
IJS_Context* pContext = pRuntime->GetCurrentContext();
@@ -143,8 +143,8 @@
const char* class_name_string,
const v8::FunctionCallbackInfo<v8::Value>& info) {
v8::Isolate* isolate = info.GetIsolate();
- CJS_Runtime* pRuntime =
- static_cast<CJS_Runtime*>(FXJS_GetRuntimeFromIsolate(isolate));
+ CJS_Runtime* pRuntime = static_cast<CJS_Runtime*>(
+ FXJS_GetRuntimeFromV8Context(isolate->GetCurrentContext()));
if (!pRuntime)
return;
IJS_Context* pContext = pRuntime->GetCurrentContext();
@@ -366,8 +366,8 @@
v8::Local<v8::String> property,
const v8::PropertyCallbackInfo<v8::Value>& info) {
v8::Isolate* isolate = info.GetIsolate();
- CJS_Runtime* pRuntime =
- static_cast<CJS_Runtime*>(FXJS_GetRuntimeFromIsolate(isolate));
+ CJS_Runtime* pRuntime = static_cast<CJS_Runtime*>(
+ FXJS_GetRuntimeFromV8Context(isolate->GetCurrentContext()));
if (!pRuntime)
return;
IJS_Context* pContext = pRuntime->GetCurrentContext();
@@ -393,8 +393,8 @@
v8::Local<v8::Value> value,
const v8::PropertyCallbackInfo<v8::Value>& info) {
v8::Isolate* isolate = info.GetIsolate();
- CJS_Runtime* pRuntime =
- static_cast<CJS_Runtime*>(FXJS_GetRuntimeFromIsolate(isolate));
+ CJS_Runtime* pRuntime = static_cast<CJS_Runtime*>(
+ FXJS_GetRuntimeFromV8Context(isolate->GetCurrentContext()));
if (!pRuntime)
return;
IJS_Context* pContext = pRuntime->GetCurrentContext();
@@ -417,7 +417,8 @@
v8::Local<v8::String> property,
const v8::PropertyCallbackInfo<v8::Boolean>& info) {
v8::Isolate* isolate = info.GetIsolate();
- IJS_Runtime* pRuntime = FXJS_GetRuntimeFromIsolate(isolate);
+ IJS_Runtime* pRuntime =
+ FXJS_GetRuntimeFromV8Context(isolate->GetCurrentContext());
if (!pRuntime)
return;
IJS_Context* pContext = pRuntime->GetCurrentContext();
@@ -439,8 +440,8 @@
*F)(IJS_Context*, const CJS_Parameters&, CJS_Value&, CFX_WideString&)>
void JSGlobalFunc(const char* func_name_string,
const v8::FunctionCallbackInfo<v8::Value>& info) {
- CJS_Runtime* pRuntime =
- static_cast<CJS_Runtime*>(FXJS_GetRuntimeFromIsolate(info.GetIsolate()));
+ CJS_Runtime* pRuntime = static_cast<CJS_Runtime*>(
+ FXJS_GetRuntimeFromV8Context(info.GetIsolate()->GetCurrentContext()));
if (!pRuntime)
return;
IJS_Context* pContext = pRuntime->GetCurrentContext();
diff --git a/fpdfsdk/src/javascript/JS_Runtime.cpp b/fpdfsdk/src/javascript/JS_Runtime.cpp
index 8b0475b..ecb53d2 100644
--- a/fpdfsdk/src/javascript/JS_Runtime.cpp
+++ b/fpdfsdk/src/javascript/JS_Runtime.cpp
@@ -245,12 +245,20 @@
v8::Locker lock(GetIsolate());
v8::Isolate::Scope isolate_scope(GetIsolate());
v8::HandleScope handle_scope(GetIsolate());
+ v8::Local<v8::Context> old_context = GetIsolate()->GetCurrentContext();
v8::Local<v8::Context> context =
v8::Local<v8::Context>::New(GetIsolate(), m_context);
v8::Context::Scope context_scope(context);
- // v8::Local<v8::Context> tmpCotext =
- // v8::Local<v8::Context>::New(GetIsolate(), m_context);
+ // Caution: We're about to hand to XFA an object that in order to invoke
+ // methods will require that the current v8::Context always has a pointer
+ // to a CJS_Runtime in its embedder data slot. Unfortunately, XFA creates
+ // its own v8::Context which has not initialized the embedder data slot.
+ // Do so now.
+ // TODO(tsepez): redesign PDF-side objects to not rely on v8::Context's
+ // embedder data slots, and/or to always use the right context.
+ FXJS_SetRuntimeForV8Context(old_context, this);
+
v8::Local<v8::Value> propvalue =
context->Global()->Get(v8::String::NewFromUtf8(
GetIsolate(), name, v8::String::kNormalString, utf8Name.GetLength()));
diff --git a/fpdfsdk/src/jsapi/fxjs_v8.cpp b/fpdfsdk/src/jsapi/fxjs_v8.cpp
index 2ff515d..3413d72 100644
--- a/fpdfsdk/src/jsapi/fxjs_v8.cpp
+++ b/fpdfsdk/src/jsapi/fxjs_v8.cpp
@@ -287,7 +287,7 @@
v8::Context::Scope context_scope(v8Context);
FXJS_PerIsolateData::SetUp(pIsolate);
- v8Context->SetAlignedPointerInEmbedderData(kPerContextDataIndex, pIRuntime);
+ FXJS_SetRuntimeForV8Context(v8Context, pIRuntime);
int maxID = CFXJS_ObjDefinition::MaxID(pIsolate);
for (int i = 0; i < maxID; ++i) {
@@ -361,10 +361,14 @@
delete pData;
}
-IJS_Runtime* FXJS_GetRuntimeFromIsolate(v8::Isolate* pIsolate) {
- v8::Local<v8::Context> context = pIsolate->GetCurrentContext();
+void FXJS_SetRuntimeForV8Context(v8::Local<v8::Context> v8Context,
+ IJS_Runtime* pIRuntime) {
+ v8Context->SetAlignedPointerInEmbedderData(kPerContextDataIndex, pIRuntime);
+}
+
+IJS_Runtime* FXJS_GetRuntimeFromV8Context(v8::Local<v8::Context> v8Context) {
return static_cast<IJS_Runtime*>(
- context->GetAlignedPointerFromEmbedderData(kPerContextDataIndex));
+ v8Context->GetAlignedPointerFromEmbedderData(kPerContextDataIndex));
}
int FXJS_Execute(v8::Isolate* pIsolate,
