Don't trust CJX_Objects handed back from JavaScript. Implement our own dynamic typing to ensure we are not making bad casts since we don't have RTTI. There are too many ways that JS can apply methods/getter to objects that this provides another line of defense. Put all the type information constants into the header so that they can be easily checked against the actual class hierarchy. The changes to the .cpp files should all be boilerplate, except for CJX_Object, which has no superclass. Apply the check inside the jse_define.h macros before making cast. Bug: chromium:922864 Change-Id: I4d5faf572949a72168b39d43d33eea22659194b1 Reviewed-on: https://pdfium-review.googlesource.com/c/48650 Commit-Queue: Tom Sepez <tsepez@chromium.org> Reviewed-by: Lei Zhang <thestig@chromium.org>

commit: 7e786cc978b21d8365dc78e3776bef4082279a30 [log] [tgz]
author: Tom Sepez <tsepez@chromium.org> Wed Jan 23 21:57:06 2019 +0000
committer: Chromium commit bot <commit-bot@chromium.org> Wed Jan 23 21:57:06 2019 +0000
tree: c0a3ad240d38759a1d3e0bf9d20b3fe4ebdca5e2
parent: 4761770b945f7ef4ac748e31b85e00b4d0fc6593 [diff] [blame]
diff --git a/fxjs/xfa/cjx_handler.h b/fxjs/xfa/cjx_handler.h
index a5ad537..348eaf1 100644
--- a/fxjs/xfa/cjx_handler.h
+++ b/fxjs/xfa/cjx_handler.h

@@ -17,10 +17,16 @@
   explicit CJX_Handler(CXFA_Handler* node);
   ~CJX_Handler() override;
 
+  // CJX_Object:
+  bool DynamicTypeIs(TypeTag eType) const override;
+
   JSE_PROP(version);
 
  private:
   using Type__ = CJX_Handler;
+  using ParentType__ = CJX_TextNode;
+
+  static const TypeTag static_type__ = TypeTag::Handler;
 };
 
 #endif  // FXJS_XFA_CJX_HANDLER_H_
commit	7e786cc978b21d8365dc78e3776bef4082279a30	[log] [tgz]
author	Tom Sepez <tsepez@chromium.org>	Wed Jan 23 21:57:06 2019 +0000
committer	Chromium commit bot <commit-bot@chromium.org>	Wed Jan 23 21:57:06 2019 +0000
tree	c0a3ad240d38759a1d3e0bf9d20b3fe4ebdca5e2
parent	4761770b945f7ef4ac748e31b85e00b4d0fc6593 [diff] [blame]