Changeset 140886 in webkit


Ignore:
Timestamp:
Jan 25, 2013, 5:26:08 PM (13 years ago)
Author:
haraken@chromium.org
Message:

Keep a RefPtr<SerializedScriptValue*> when we call serialize()/deserialize() in PopStateEvent
https://bugs.webkit.org/show_bug.cgi?id=107904

Reviewed by Abhishek Arya.

If you use a raw SerializedScriptValue* for serialize()/deserialize(),
it can potentially cause a use-after-free. This is because serialize()/
deserialize() can destruct a RefPtr of the SerializedScriptValue*,
depending on data that is serialized/deserialized. So we should keep a
RefPtr<SerializedScriptValue*> when we call serialize()/deserialize().
(See https://bugs.webkit.org/show_bug.cgi?id=107792 for more details.)

No tests. This is just a just-in-case fix.

  • dom/PopStateEvent.h:

(WebCore::PopStateEvent::serializedState):

  • page/History.cpp:

(WebCore::History::isSameAsCurrentState):

  • page/History.h:

(History):

Location:
trunk/Source/WebCore
Files:
4 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/WebCore/ChangeLog

    r140884 r140886  
     12013-01-25  Kentaro Hara  <haraken@chromium.org>
     2
     3        Keep a RefPtr<SerializedScriptValue*> when we call serialize()/deserialize() in PopStateEvent
     4        https://bugs.webkit.org/show_bug.cgi?id=107904
     5
     6        Reviewed by Abhishek Arya.
     7
     8        If you use a raw SerializedScriptValue* for serialize()/deserialize(),
     9        it can potentially cause a use-after-free. This is because serialize()/
     10        deserialize() can destruct a RefPtr of the SerializedScriptValue*,
     11        depending on data that is serialized/deserialized. So we should keep a
     12        RefPtr<SerializedScriptValue*> when we call serialize()/deserialize().
     13        (See https://bugs.webkit.org/show_bug.cgi?id=107792 for more details.)
     14
     15        No tests. This is just a just-in-case fix.
     16
     17        * dom/PopStateEvent.h:
     18        (WebCore::PopStateEvent::serializedState):
     19        * page/History.cpp:
     20        (WebCore::History::isSameAsCurrentState):
     21        * page/History.h:
     22        (History):
     23
    1242013-01-25  Kentaro Hara  <haraken@chromium.org>
    225

  • trunk/Source/WebCore/dom/PopStateEvent.h

    r120791 r140886  
    4949    static PassRefPtr<PopStateEvent> create(const AtomicString&, const PopStateEventInit&);
    5050
    51     SerializedScriptValue* serializedState() const { return m_serializedState.get(); }
     51    PassRefPtr<SerializedScriptValue> serializedState() const { return m_serializedState; }
    5252    const ScriptValue& state() const { return m_state; }
    5353    History* history() const { return m_history.get(); }

  • trunk/Source/WebCore/page/History.cpp

    r140748 r140886  
    7878}
    7979
    80 bool History::isSameAsCurrentState(SerializedScriptValue* state) const
     80bool History::isSameAsCurrentState(PassRefPtr<SerializedScriptValue> state) const
    8181{
    8282    return state == stateInternal();

  • trunk/Source/WebCore/page/History.h

    r140759 r140886  
    5656
    5757    bool stateChanged() const;
    58     bool isSameAsCurrentState(SerializedScriptValue*) const;
     58    bool isSameAsCurrentState(PassRefPtr<SerializedScriptValue>) const;
    5959
    6060    enum StateObjectType {
Note: See TracChangeset for help on using the changeset viewer.