Changeset 140887 in webkit
- Timestamp:
- Jan 25, 2013 5:28:40 PM (11 years ago)
- Location:
- trunk/Source/WebCore
- Files:
-
- 2 edited
-
ChangeLog (modified) (1 diff)
-
bindings/v8/custom/V8CustomEventCustom.cpp (modified) (1 diff)
Legend:
- Unmodified
- Added
- Removed
-
trunk/Source/WebCore/ChangeLog
r140886 r140887 1 2013-01-25 Kentaro Hara <haraken@chromium.org> 2 3 [V8] Keep a RefPtr<SerializedScriptValue*> when we call serialize()/deserialize() (part 1) 4 https://bugs.webkit.org/show_bug.cgi?id=107891 5 6 Reviewed by Abhishek Arya. 7 8 If you use a raw SerializedScriptValue* for serialize()/deserialize(), 9 it can potentially cause a use-after-free. This is because serialize()/ 10 deserialize() can destruct a RefPtr of the SerializedScriptValue*, 11 depending on data that is serialized/deserialized. So we should keep a 12 RefPtr<SerializedScriptValue*> when we call serialize()/deserialize(). 13 (See https://bugs.webkit.org/show_bug.cgi?id=107792 for more details.) 14 15 No tests. This is just a just-in-case fix. I couldn't find any bug 16 even in an ASAN build. 17 18 * bindings/v8/custom/V8CustomEventCustom.cpp: 19 (WebCore::V8CustomEvent::detailAccessorGetter): 20 1 21 2013-01-25 Kentaro Hara <haraken@chromium.org> 2 22 -
trunk/Source/WebCore/bindings/v8/custom/V8CustomEventCustom.cpp
r138665 r140887 50 50 { 51 51 CustomEvent* imp = V8CustomEvent::toNative(info.Holder()); 52 SerializedScriptValue* serialized = imp->serializedScriptValue().get();52 RefPtr<SerializedScriptValue> serialized = imp->serializedScriptValue(); 53 53 if (serialized) { 54 54 v8::Handle<v8::Value> value = info.Holder()->GetHiddenValue(V8HiddenPropertyName::detail());
Note: See TracChangeset
for help on using the changeset viewer.
