Changes in trunk [135803:135804] in webkit
- Location:
- trunk
- Files:
-
- 3 added
- 3 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/LayoutTests/ChangeLog
r135803 r135804 1 2012-11-26 Istiaque Ahmed <lazyboy@chromium.org> 2 3 Check for empty perContextData while creating NP V8 Object. 4 https://bugs.webkit.org/show_bug.cgi?id=98448 5 6 Reviewed by Adam Barth. 7 8 Fixes crash in npCreateV8ScriptObject(), if NP Invoke is called from a document 9 that is no longer displayed in frame (isCurrentlyDisplayedInFrame() == 10 false), we have empty perContextData and this results in invalid memory access. 11 12 * platform/chromium/plugins/empty-per-context-data-expected.txt: Added. 13 * platform/chromium/plugins/empty-per-context-data.html: Added. 14 * platform/chromium/plugins/resources/script-container.html: Added. 15 1 16 2012-11-26 Daniel Bates <dbates@webkit.org> 2 17 -
trunk/Source/WebCore/ChangeLog
r135803 r135804 1 2012-11-26 Istiaque Ahmed <lazyboy@chromium.org> 2 3 Check for empty perContextData while creating NP V8 Object. 4 https://bugs.webkit.org/show_bug.cgi?id=98448 5 6 Reviewed by Adam Barth. 7 8 Fixes crash in npCreateV8ScriptObject(), if NP Invoke is called from a document 9 that is no longer displayed in frame (isCurrentlyDisplayedInFrame() == 10 false), we have empty perContextData and this results in invalid memory access. 11 12 Test: platform/chromium/plugins/empty-per-context-data.html 13 14 * bindings/v8/NPV8Object.cpp: 15 (WebCore::npCreateV8ScriptObject): 16 1 17 2012-11-26 Michael Saboff <msaboff@apple.com> 2 18 -
trunk/Source/WebCore/bindings/v8/NPV8Object.cpp
r135803 r135804 145 145 } 146 146 147 int v8ObjectHash = object->GetIdentityHash(); 148 ASSERT(v8ObjectHash); 149 V8NPObjectMap* v8NPObjectMap = V8PerContextData::from(object->CreationContext())->v8NPObjectMap(); 150 V8NPObjectMap::iterator iter = v8NPObjectMap->find(v8ObjectHash); 151 if (iter != v8NPObjectMap->end()) { 152 V8NPObjectVector& objects = iter->value; 153 for (size_t index = 0; index < objects.size(); ++index) { 154 V8NPObject* v8npObject = objects.at(index); 155 if (v8npObject->rootObject == root) { 156 ASSERT(v8npObject->v8Object == object); 157 _NPN_RetainObject(&v8npObject->object); 158 return reinterpret_cast<NPObject*>(v8npObject); 147 V8NPObjectVector* objectVector = 0; 148 if (V8PerContextData* perContextData = V8PerContextData::from(object->CreationContext())) { 149 int v8ObjectHash = object->GetIdentityHash(); 150 ASSERT(v8ObjectHash); 151 V8NPObjectMap* v8NPObjectMap = perContextData->v8NPObjectMap(); 152 V8NPObjectMap::iterator iter = v8NPObjectMap->find(v8ObjectHash); 153 if (iter != v8NPObjectMap->end()) { 154 V8NPObjectVector& objects = iter->value; 155 for (size_t index = 0; index < objects.size(); ++index) { 156 V8NPObject* v8npObject = objects.at(index); 157 if (v8npObject->rootObject == root) { 158 ASSERT(v8npObject->v8Object == object); 159 _NPN_RetainObject(&v8npObject->object); 160 return reinterpret_cast<NPObject*>(v8npObject); 161 } 159 162 } 163 } else { 164 iter = v8NPObjectMap->set(v8ObjectHash, V8NPObjectVector()).iterator; 165 objectVector = &iter->value; 160 166 } 161 } else { 162 iter = v8NPObjectMap->set(v8ObjectHash, V8NPObjectVector()).iterator; 163 } 164 167 } 165 168 V8NPObject* v8npObject = reinterpret_cast<V8NPObject*>(_NPN_CreateObject(npp, &V8NPObjectClass)); 166 169 v8npObject->v8Object = v8::Persistent<v8::Object>::New(object); 167 170 v8npObject->rootObject = root; 168 171 169 iter->value.append(v8npObject); 172 if (objectVector) 173 objectVector->append(v8npObject); 170 174 171 175 return reinterpret_cast<NPObject*>(v8npObject);
Note: See TracChangeset
for help on using the changeset viewer.