Changeset 140891 in webkit


Ignore:
Timestamp:
Jan 25, 2013 5:36:40 PM (11 years ago)
Author:
haraken@chromium.org
Message:

Keep a RefPtr<SerializedScriptValue*> when we call serialize()/deserialize() for MessageEvent
https://bugs.webkit.org/show_bug.cgi?id=107900

Reviewed by Abhishek Arya.

If you use a raw SerializedScriptValue* for serialize()/deserialize(),
it can potentially cause a use-after-free. This is because serialize()/
deserialize() can destruct a RefPtr of the SerializedScriptValue*,
depending on data that is serialized/deserialized. So we should keep a
RefPtr<SerializedScriptValue*> when we call serialize()/deserialize().
(See https://bugs.webkit.org/show_bug.cgi?id=107792 for more details.)

No tests. This is just a just-in-case fix. I couldn't find any bug
even in an ASAN build.

  • bindings/js/JSMessageEventCustom.cpp:

(WebCore::JSMessageEvent::data):

  • bindings/v8/custom/V8MessageEventCustom.cpp:

(WebCore::V8MessageEvent::dataAccessorGetter):

  • dom/MessageEvent.h:

(WebCore::MessageEvent::dataAsSerializedScriptValue):

Location:
trunk/Source/WebCore
Files:
4 edited

Legend:

Unmodified
Added
Removed
  • trunk/Source/WebCore/ChangeLog

    r140887 r140891  
     12013-01-25  Kentaro Hara  <haraken@chromium.org>
     2
     3        Keep a RefPtr<SerializedScriptValue*> when we call serialize()/deserialize() for MessageEvent
     4        https://bugs.webkit.org/show_bug.cgi?id=107900
     5
     6        Reviewed by Abhishek Arya.
     7
     8        If you use a raw SerializedScriptValue* for serialize()/deserialize(),
     9        it can potentially cause a use-after-free. This is because serialize()/
     10        deserialize() can destruct a RefPtr of the SerializedScriptValue*,
     11        depending on data that is serialized/deserialized. So we should keep a
     12        RefPtr<SerializedScriptValue*> when we call serialize()/deserialize().
     13        (See https://bugs.webkit.org/show_bug.cgi?id=107792 for more details.)
     14
     15        No tests. This is just a just-in-case fix. I couldn't find any bug
     16        even in an ASAN build.
     17
     18        * bindings/js/JSMessageEventCustom.cpp:
     19        (WebCore::JSMessageEvent::data):
     20        * bindings/v8/custom/V8MessageEventCustom.cpp:
     21        (WebCore::V8MessageEvent::dataAccessorGetter):
     22        * dom/MessageEvent.h:
     23        (WebCore::MessageEvent::dataAsSerializedScriptValue):
     24
    1252013-01-25  Kentaro Hara  <haraken@chromium.org>
    226
  • trunk/Source/WebCore/bindings/js/JSMessageEventCustom.cpp

    r133953 r140891  
    6363
    6464    case MessageEvent::DataTypeSerializedScriptValue:
    65         if (SerializedScriptValue* serializedValue = event->dataAsSerializedScriptValue()) {
     65        if (RefPtr<SerializedScriptValue> serializedValue = event->dataAsSerializedScriptValue()) {
    6666            MessagePortArray* ports = static_cast<MessageEvent*>(impl())->ports();
    6767            result = serializedValue->deserialize(exec, globalObject(), ports, NonThrowing);
  • trunk/Source/WebCore/bindings/v8/custom/V8MessageEventCustom.cpp

    r140729 r140891  
    5959
    6060    case MessageEvent::DataTypeSerializedScriptValue:
    61         if (SerializedScriptValue* serializedValue = event->dataAsSerializedScriptValue())
     61        if (RefPtr<SerializedScriptValue> serializedValue = event->dataAsSerializedScriptValue())
    6262            result = serializedValue->deserialize(info.GetIsolate(), event->ports());
    6363        else
  • trunk/Source/WebCore/dom/MessageEvent.h

    r135587 r140891  
    109109    DataType dataType() const { return m_dataType; }
    110110    const ScriptValue& dataAsScriptValue() const { ASSERT(m_dataType == DataTypeScriptValue); return m_dataAsScriptValue; }
    111     SerializedScriptValue* dataAsSerializedScriptValue() const { ASSERT(m_dataType == DataTypeSerializedScriptValue); return m_dataAsSerializedScriptValue.get(); }
     111    PassRefPtr<SerializedScriptValue> dataAsSerializedScriptValue() const { ASSERT(m_dataType == DataTypeSerializedScriptValue); return m_dataAsSerializedScriptValue; }
    112112    String dataAsString() const { ASSERT(m_dataType == DataTypeString); return m_dataAsString; }
    113113    Blob* dataAsBlob() const { ASSERT(m_dataType == DataTypeBlob); return m_dataAsBlob.get(); }
Note: See TracChangeset for help on using the changeset viewer.