commit ff402c2c4ce8ae8690959262ca731d5cc6bd7015
author Tom Sepez <tsepez@chromium.org> Tue Jul 17 00:12:56 2018 +0000
committer Chromium commit bot <commit-bot@chromium.org> Tue Jul 17 00:12:56 2018 +0000
tree c486df05d082943433a63292ae458d987773c005
parent 82999fa9d685638561efc6df2c8370c7e7f47676

Check for global flag on global proxy objects.

Second line of defense for issue in the associated bug.

Bug: chromium:862059
Change-Id: I58ba890dfe02c89dd6bcfa23e2e116e107f9adbc
Reviewed-on: https://pdfium-review.googlesource.com/37991
Commit-Queue: Tom Sepez <tsepez@chromium.org>
Reviewed-by: Lei Zhang <thestig@chromium.org>

fxjs/cfxjs_engine.cpp

diff --git a/fxjs/cfxjs_engine.cpp b/fxjs/cfxjs_engine.cpp
index 1a02ec9..8587b8a 100644
--- a/fxjs/cfxjs_engine.cpp
+++ b/fxjs/cfxjs_engine.cpp
@@ -586,17 +586,33 @@
 
 // static
 CJS_Object* CFXJS_Engine::GetObjectPrivate(v8::Local<v8::Object> pObj) {
-  CFXJS_PerObjectData* pData = CFXJS_PerObjectData::GetFromObject(pObj);
-  if (!pData && !pObj.IsEmpty()) {
-    // It could be a global proxy object.
-    v8::Local<v8::Value> v = pObj->GetPrototype();
-    if (v->IsObject()) {
-      pData = CFXJS_PerObjectData::GetFromObject(
-          v->ToObject(v8::Isolate::GetCurrent()->GetCurrentContext())
-              .ToLocalChecked());
-    }
-  }
-  return pData ? pData->m_pPrivate.get() : nullptr;
+  auto* pData = CFXJS_PerObjectData::GetFromObject(pObj);
+  if (pData)
+    return pData->m_pPrivate.get();
+
+  if (pObj.IsEmpty())
+    return nullptr;
+
+  // It could be a global proxy object, in which case the prototype holds
+  // the actual bound object.
+  v8::Local<v8::Value> val = pObj->GetPrototype();
+  if (!val->IsObject())
+    return nullptr;
+
+  auto* pProtoData = CFXJS_PerObjectData::GetFromObject(val.As<v8::Object>());
+  if (!pProtoData)
+    return nullptr;
+
+  auto* pIsolateData = FXJS_PerIsolateData::Get(v8::Isolate::GetCurrent());
+  if (!pIsolateData)
+    return nullptr;
+
+  CFXJS_ObjDefinition* pObjDef =
+      pIsolateData->ObjDefinitionForID(pProtoData->m_ObjDefID);
+  if (!pObjDef || pObjDef->m_ObjType != FXJSOBJTYPE_GLOBAL)
+    return nullptr;
+
+  return pProtoData->m_pPrivate.get();
 }
 
 v8::Local<v8::Array> CFXJS_Engine::GetConstArray(const WideString& name) {