Changeset 135804 in webkit


Ignore:
Timestamp:
Nov 26, 2012 7:40:59 PM (11 years ago)
Author:
commit-queue@webkit.org
Message:

Check for empty perContextData while creating NP V8 Object.
https://bugs.webkit.org/show_bug.cgi?id=98448

Patch by Istiaque Ahmed <lazyboy@chromium.org> on 2012-11-26
Reviewed by Adam Barth.

Fixes crash in npCreateV8ScriptObject(), if NP Invoke is called from a document
that is no longer displayed in frame (isCurrentlyDisplayedInFrame() ==
false), we have empty perContextData and this results in invalid memory access.

Source/WebCore:

Test: platform/chromium/plugins/empty-per-context-data.html

  • bindings/v8/NPV8Object.cpp:

(WebCore::npCreateV8ScriptObject):

LayoutTests:

  • platform/chromium/plugins/empty-per-context-data-expected.txt: Added.
  • platform/chromium/plugins/empty-per-context-data.html: Added.
  • platform/chromium/plugins/resources/script-container.html: Added.
Location:
trunk
Files:
3 added
3 edited

Legend:

Unmodified
Added
Removed
  • trunk/LayoutTests/ChangeLog

    r135794 r135804  
     12012-11-26  Istiaque Ahmed  <lazyboy@chromium.org>
     2
     3        Check for empty perContextData while creating NP V8 Object.
     4        https://bugs.webkit.org/show_bug.cgi?id=98448
     5
     6        Reviewed by Adam Barth.
     7
     8        Fixes crash in npCreateV8ScriptObject(), if NP Invoke is called from a document
     9        that is no longer displayed in frame (isCurrentlyDisplayedInFrame() ==
     10        false), we have empty perContextData and this results in invalid memory access.
     11
     12        * platform/chromium/plugins/empty-per-context-data-expected.txt: Added.
     13        * platform/chromium/plugins/empty-per-context-data.html: Added.
     14        * platform/chromium/plugins/resources/script-container.html: Added.
     15
    1162012-11-26  Daniel Bates  <dbates@webkit.org>
    217
  • trunk/Source/WebCore/ChangeLog

    r135802 r135804  
     12012-11-26  Istiaque Ahmed  <lazyboy@chromium.org>
     2
     3        Check for empty perContextData while creating NP V8 Object.
     4        https://bugs.webkit.org/show_bug.cgi?id=98448
     5
     6        Reviewed by Adam Barth.
     7
     8        Fixes crash in npCreateV8ScriptObject(), if NP Invoke is called from a document
     9        that is no longer displayed in frame (isCurrentlyDisplayedInFrame() ==
     10        false), we have empty perContextData and this results in invalid memory access.
     11
     12        Test: platform/chromium/plugins/empty-per-context-data.html
     13
     14        * bindings/v8/NPV8Object.cpp:
     15        (WebCore::npCreateV8ScriptObject):
     16
    1172012-11-26  Michael Saboff  <msaboff@apple.com>
    218
  • trunk/Source/WebCore/bindings/v8/NPV8Object.cpp

    r134646 r135804  
    145145    }
    146146
    147     int v8ObjectHash = object->GetIdentityHash();
    148     ASSERT(v8ObjectHash);
    149     V8NPObjectMap* v8NPObjectMap = V8PerContextData::from(object->CreationContext())->v8NPObjectMap();
    150     V8NPObjectMap::iterator iter = v8NPObjectMap->find(v8ObjectHash);
    151     if (iter != v8NPObjectMap->end()) {
    152         V8NPObjectVector& objects = iter->value;
    153         for (size_t index = 0; index < objects.size(); ++index) {
    154             V8NPObject* v8npObject = objects.at(index);
    155             if (v8npObject->rootObject == root) {
    156                 ASSERT(v8npObject->v8Object == object);
    157                 _NPN_RetainObject(&v8npObject->object);
    158                 return reinterpret_cast<NPObject*>(v8npObject);
     147    V8NPObjectVector* objectVector = 0;
     148    if (V8PerContextData* perContextData = V8PerContextData::from(object->CreationContext())) {
     149        int v8ObjectHash = object->GetIdentityHash();
     150        ASSERT(v8ObjectHash);
     151        V8NPObjectMap* v8NPObjectMap = perContextData->v8NPObjectMap();
     152        V8NPObjectMap::iterator iter = v8NPObjectMap->find(v8ObjectHash);
     153        if (iter != v8NPObjectMap->end()) {
     154            V8NPObjectVector& objects = iter->value;
     155            for (size_t index = 0; index < objects.size(); ++index) {
     156                V8NPObject* v8npObject = objects.at(index);
     157                if (v8npObject->rootObject == root) {
     158                    ASSERT(v8npObject->v8Object == object);
     159                    _NPN_RetainObject(&v8npObject->object);
     160                    return reinterpret_cast<NPObject*>(v8npObject);
     161                }
    159162            }
     163        } else {
     164            iter = v8NPObjectMap->set(v8ObjectHash, V8NPObjectVector()).iterator;
     165            objectVector = &iter->value;
    160166        }
    161     } else {
    162         iter = v8NPObjectMap->set(v8ObjectHash, V8NPObjectVector()).iterator;
    163     }
    164 
     167    }
    165168    V8NPObject* v8npObject = reinterpret_cast<V8NPObject*>(_NPN_CreateObject(npp, &V8NPObjectClass));
    166169    v8npObject->v8Object = v8::Persistent<v8::Object>::New(object);
    167170    v8npObject->rootObject = root;
    168171
    169     iter->value.append(v8npObject);
     172    if (objectVector)
     173        objectVector->append(v8npObject);
    170174
    171175    return reinterpret_cast<NPObject*>(v8npObject);
Note: See TracChangeset for help on using the changeset viewer.