Fix UAF in CPDFSDK_Widget::GetMixXFAWidget().
Do not allow instanceManager methods to run in Foreground XFA forms.
They are static, and their widgets should not be inserted or removed.
See "XML Forms Architecture (XFA) Specification Version 3.3", page 272.
Bug: chromium:860697
Change-Id: Ia96834e085ee508618ca4dcb2bd5271466369ede
Reviewed-on: https://pdfium-review.googlesource.com/38751
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: Henrique Nakashima <hnakashima@chromium.org>
diff --git a/fxjs/xfa/cjx_instancemanager.cpp b/fxjs/xfa/cjx_instancemanager.cpp
index f44ccba..0882a18 100644
--- a/fxjs/xfa/cjx_instancemanager.cpp
+++ b/fxjs/xfa/cjx_instancemanager.cpp
@@ -12,6 +12,7 @@
#include "fxjs/cfxjse_engine.h"
#include "fxjs/cfxjse_value.h"
#include "fxjs/js_resources.h"
+#include "xfa/fxfa/cxfa_ffdoc.h"
#include "xfa/fxfa/cxfa_ffnotify.h"
#include "xfa/fxfa/parser/cxfa_document.h"
#include "xfa/fxfa/parser/cxfa_instancemanager.h"
@@ -135,6 +136,10 @@
CJS_Return CJX_InstanceManager::moveInstance(
CFX_V8* runtime,
const std::vector<v8::Local<v8::Value>>& params) {
+ CXFA_Document* doc = static_cast<CFXJSE_Engine*>(runtime)->GetDocument();
+ if (doc->GetFormType() != FormType::kXFAFull)
+ return CJS_Return(JSGetStringFromID(JSMessage::kNotSupportedError));
+
if (params.size() != 2)
return CJS_Return(JSGetStringFromID(JSMessage::kParamError));
@@ -162,6 +167,10 @@
CJS_Return CJX_InstanceManager::removeInstance(
CFX_V8* runtime,
const std::vector<v8::Local<v8::Value>>& params) {
+ CXFA_Document* doc = static_cast<CFXJSE_Engine*>(runtime)->GetDocument();
+ if (doc->GetFormType() != FormType::kXFAFull)
+ return CJS_Return(JSGetStringFromID(JSMessage::kNotSupportedError));
+
if (params.size() != 1)
return CJS_Return(JSGetStringFromID(JSMessage::kParamError));
@@ -202,6 +211,10 @@
CJS_Return CJX_InstanceManager::setInstances(
CFX_V8* runtime,
const std::vector<v8::Local<v8::Value>>& params) {
+ CXFA_Document* doc = static_cast<CFXJSE_Engine*>(runtime)->GetDocument();
+ if (doc->GetFormType() != FormType::kXFAFull)
+ return CJS_Return(JSGetStringFromID(JSMessage::kNotSupportedError));
+
if (params.size() != 1)
return CJS_Return(JSGetStringFromID(JSMessage::kParamError));
@@ -212,6 +225,10 @@
CJS_Return CJX_InstanceManager::addInstance(
CFX_V8* runtime,
const std::vector<v8::Local<v8::Value>>& params) {
+ CXFA_Document* doc = static_cast<CFXJSE_Engine*>(runtime)->GetDocument();
+ if (doc->GetFormType() != FormType::kXFAFull)
+ return CJS_Return(JSGetStringFromID(JSMessage::kNotSupportedError));
+
if (!params.empty() && params.size() != 1)
return CJS_Return(JSGetStringFromID(JSMessage::kParamError));
@@ -253,6 +270,10 @@
CJS_Return CJX_InstanceManager::insertInstance(
CFX_V8* runtime,
const std::vector<v8::Local<v8::Value>>& params) {
+ CXFA_Document* doc = static_cast<CFXJSE_Engine*>(runtime)->GetDocument();
+ if (doc->GetFormType() != FormType::kXFAFull)
+ return CJS_Return(JSGetStringFromID(JSMessage::kNotSupportedError));
+
if (params.size() != 1 && params.size() != 2)
return CJS_Return(JSGetStringFromID(JSMessage::kParamError));
diff --git a/xfa/fxfa/parser/cxfa_document.cpp b/xfa/fxfa/parser/cxfa_document.cpp
index 5ed1d7f..5a85482 100644
--- a/xfa/fxfa/parser/cxfa_document.cpp
+++ b/xfa/fxfa/parser/cxfa_document.cpp
@@ -1478,6 +1478,10 @@
return eVersion;
}
+FormType CXFA_Document::GetFormType() const {
+ return GetNotify()->GetHDOC()->GetFormType();
+}
+
CXFA_Node* CXFA_Document::GetNodeByID(CXFA_Node* pRoot,
const WideStringView& wsID) const {
if (!pRoot || wsID.IsEmpty())
diff --git a/xfa/fxfa/parser/cxfa_document.h b/xfa/fxfa/parser/cxfa_document.h
index 795da00..8bddcb2 100644
--- a/xfa/fxfa/parser/cxfa_document.h
+++ b/xfa/fxfa/parser/cxfa_document.h
@@ -79,6 +79,7 @@
bool IsInteractive();
XFA_VERSION GetCurVersionMode() { return m_eCurVersionMode; }
XFA_VERSION RecognizeXFAVersionNumber(const WideString& wsTemplateNS);
+ FormType GetFormType() const;
CXFA_Node* CreateNode(XFA_PacketType packet, XFA_Element eElement);
