New issue
Advanced search Search tips

Issue 728200 link

Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: Jul 24
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , Chrome , Mac
Pri: 2
Type: Bug-Security



Sign in to add a comment

Security: PDFium JS: Field::m_pJSDoc lifetime issue

Project Member Reported by tsepez@chromium.org, May 31 2017

Issue description

Converting Field::m_pJSDoc to an unowned ptr fails. Running routine tests as such shows that the Field object may live as long as the V8 isolate, but several documents and/or FormFillEnvironments may be loaded during the isolate's lifetime.

There shouldn't be any way to reach the Field from JS once a new context is created for the new document, nor is the stale field used during cleanup, hence severity low.
 

Comment 1 by tsepez@chromium.org, May 31 2017

Cc: thestig@chromium.org dsinclair@chromium.org
Project Member

Comment 2 by sheriffbot@chromium.org, Jun 1 2017

Labels: Pri-2
Labels: OS-Android OS-Chrome OS-Linux OS-Mac OS-Windows
Project Member

Comment 4 by sheriffbot@chromium.org, Jun 5 2018

Labels: Hotlist-Recharge-Cold
Status: Untriaged (was: Available)
This issue has been Available for over a year. If it's no longer important or seems unlikely to be fixed, please consider closing it out. If it is important, please re-triage the issue.

Sorry for the inconvenience if the bug really should have been left as Available.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Status: Available (was: Untriaged)

Comment 6 Deleted

Probably just a matter of the Field holding a v8::Global<> back to the document so that it won't get gc'd away out from underneath it.
Status: Fixed (was: Started)
2cbae7328b4eb31a fixed this some time ago.
Project Member

Comment 9 by sheriffbot@chromium.org, Jul 25

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Project Member

Comment 10 by sheriffbot@chromium.org, Oct 31

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment