Changeset 117108 in webkit


Ignore:
Timestamp:
May 15, 2012 11:51:02 AM (12 years ago)
Author:
kling@webkit.org
Message:

Deep copy PluginModuleInfo before passing across thread boundary.
<http://webkit.org/b/86491>
<rdar://problem/11451178>

Reviewed by Anders Carlsson.

Source/WebCore:

  • plugins/PluginData.h:

(MimeClassInfo):
(WebCore::MimeClassInfo::isolatedCopy):
(PluginInfo):
(WebCore::PluginInfo::isolatedCopy):

Source/WebKit2:

Since the vector of PluginModuleInfo objects returned by PluginInfoStore::plugins()
can end up being passed to another thread, we should clone it to make sure it's
safe to do so.

No new tests, speculative use-after-free fix.

  • Shared/Plugins/PluginModuleInfo.h:

(PluginModuleInfo):
(WebKit::PluginModuleInfo::isolatedCopy):

  • UIProcess/Plugins/PluginInfoStore.cpp:

(WebKit::PluginInfoStore::plugins):

Location:
trunk/Source
Files:
5 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/WebCore/ChangeLog

    r117107 r117108  
     12012-05-15  Andreas Kling  <kling@webkit.org>
     2
     3        Deep copy PluginModuleInfo before passing across thread boundary.
     4        <http://webkit.org/b/86491>
     5        <rdar://problem/11451178>
     6
     7        Reviewed by Anders Carlsson.
     8
     9        * plugins/PluginData.h:
     10        (MimeClassInfo):
     11        (WebCore::MimeClassInfo::isolatedCopy):
     12        (PluginInfo):
     13        (WebCore::PluginInfo::isolatedCopy):
     14
    1152012-05-15  Sheriff Bot  <webkit.review.bot@gmail.com>
    216

  • trunk/Source/WebCore/plugins/PluginData.h

    r95901 r117108  
    3434    String desc;
    3535    Vector<String> extensions;
     36
     37    MimeClassInfo isolatedCopy()
     38    {
     39        MimeClassInfo clone;
     40        clone.type = type.isolatedCopy();
     41        clone.desc = desc.isolatedCopy();
     42        for (unsigned i = 0; i < extensions.size(); ++i)
     43            clone.extensions.append(extensions[i].isolatedCopy());
     44        return clone;
     45    }
    3646};
    3747
     
    4656    String desc;
    4757    Vector<MimeClassInfo> mimes;
     58
     59    PluginInfo isolatedCopy()
     60    {
     61        PluginInfo clone;
     62        clone.name = name.isolatedCopy();
     63        clone.file = file.isolatedCopy();
     64        clone.desc = desc.isolatedCopy();
     65        for (unsigned i = 0; i < mimes.size(); ++i)
     66            clone.mimes.append(mimes[i].isolatedCopy());
     67        return clone;
     68    }
    4869};
    4970

  • trunk/Source/WebKit2/ChangeLog

    r117095 r117108  
     12012-05-15  Andreas Kling  <kling@webkit.org>
     2
     3        Deep copy PluginModuleInfo before passing across thread boundary.
     4        <http://webkit.org/b/86491>
     5        <rdar://problem/11451178>
     6
     7        Reviewed by Anders Carlsson.
     8
     9        Since the vector of PluginModuleInfo objects returned by PluginInfoStore::plugins()
     10        can end up being passed to another thread, we should clone it to make sure it's
     11        safe to do so.
     12
     13        No new tests, speculative use-after-free fix.
     14
     15        * Shared/Plugins/PluginModuleInfo.h:
     16        (PluginModuleInfo):
     17        (WebKit::PluginModuleInfo::isolatedCopy):
     18        * UIProcess/Plugins/PluginInfoStore.cpp:
     19        (WebKit::PluginInfoStore::plugins):
     20
    1212012-05-15  Andy Estes  <aestes@apple.com>
    222

  • trunk/Source/WebKit2/Shared/Plugins/PluginModuleInfo.h

    r95901 r117108  
    4242    uint64_t fileVersion;
    4343#endif
     44
     45    PluginModuleInfo isolatedCopy()
     46    {
     47        PluginModuleInfo clone;
     48        clone.path = path.isolatedCopy();
     49        clone.info = info.isolatedCopy();
     50#if PLATFORM(MAC)
     51        clone.pluginArchitecture = pluginArchitecture;
     52        clone.bundleIdentifier = bundleIdentifier.isolatedCopy();
     53        clone.versionString = versionString.isolatedCopy();
     54#elif PLATFORM(WIN)
     55        clone.fileVersion = fileVersion;
     56#endif
     57        return clone;
     58    }
    4459};
    4560

  • trunk/Source/WebKit2/UIProcess/Plugins/PluginInfoStore.cpp

    r116796 r117108  
    116116    MutexLocker locker(m_pluginsLock);
    117117    loadPluginsIfNecessary();
    118     return m_plugins;
     118
     119    // Let the copy begin!
     120    Vector<PluginModuleInfo> infos;
     121    for (unsigned i = 0; i < m_plugins.size(); ++i)
     122        infos.append(m_plugins[i].isolatedCopy());
     123
     124    return infos;
    119125}
    120126
Note: See TracChangeset for help on using the changeset viewer.