commit c46c516ba93b70851f021de5449591600c58f517
author Tom Sepez <tsepez@chromium.org> Fri Dec 14 22:30:41 2018 +0000
committer Chromium commit bot <commit-bot@chromium.org> Fri Dec 14 22:30:41 2018 +0000
tree f74d574e459181883bfe6f9533bccfc670f7d584
parent 3de08dd61026197fd08f8243ca214cf39b6f20ee

XFA: Avoid infinite recursion when deleting a ThisProxy object property.

Rather than setting it to undefined, which might invoke an interceptor and
trap back into ourselves, delete the property which avoids the interceptor.

Bug: chromium:913566
Change-Id: If64cd37a6f934f47ebfc43c14269e55baa9422b7
Reviewed-on: https://pdfium-review.googlesource.com/c/47332
Reviewed-by: Lei Zhang <thestig@chromium.org>
Commit-Queue: Tom Sepez <tsepez@chromium.org>

fxjs/xfa/cfxjse_engine.cpp

diff --git a/fxjs/xfa/cfxjse_engine.cpp b/fxjs/xfa/cfxjse_engine.cpp
index eb5c955..70b8d60 100644
--- a/fxjs/xfa/cfxjse_engine.cpp
+++ b/fxjs/xfa/cfxjse_engine.cpp
@@ -194,7 +194,7 @@
   }
   if (lpOrginalNode->IsThisProxy()) {
     if (pValue && pValue->IsUndefined()) {
-      pObject->SetObjectOwnProperty(szPropName, pValue);
+      pObject->DeleteObjectProperty(szPropName);
       return;
     }
   }