Security: PDFium JS: Field::m_pJSDoc lifetime issue |
||||||||
Issue descriptionConverting Field::m_pJSDoc to an unowned ptr fails. Running routine tests as such shows that the Field object may live as long as the V8 isolate, but several documents and/or FormFillEnvironments may be loaded during the isolate's lifetime. There shouldn't be any way to reach the Field from JS once a new context is created for the new document, nor is the stale field used during cleanup, hence severity low.
,
Jun 1 2017
,
Jun 5 2017
,
Jun 5 2018
This issue has been Available for over a year. If it's no longer important or seems unlikely to be fixed, please consider closing it out. If it is important, please re-triage the issue. Sorry for the inconvenience if the bug really should have been left as Available. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jun 5 2018
,
Jun 7 2018
Probably just a matter of the Field holding a v8::Global<> back to the document so that it won't get gc'd away out from underneath it.
,
Jul 24
2cbae7328b4eb31a fixed this some time ago.
,
Jul 25
,
Oct 31
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
||||||||
►
Sign in to add a comment |
||||||||
Comment 1 by tsepez@chromium.org
, May 31 2017