Changeset 140891 in webkit
- Timestamp:
- Jan 25, 2013 5:36:40 PM (11 years ago)
- Location:
- trunk/Source/WebCore
- Files:
-
- 4 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/Source/WebCore/ChangeLog
r140887 r140891 1 2013-01-25 Kentaro Hara <haraken@chromium.org> 2 3 Keep a RefPtr<SerializedScriptValue*> when we call serialize()/deserialize() for MessageEvent 4 https://bugs.webkit.org/show_bug.cgi?id=107900 5 6 Reviewed by Abhishek Arya. 7 8 If you use a raw SerializedScriptValue* for serialize()/deserialize(), 9 it can potentially cause a use-after-free. This is because serialize()/ 10 deserialize() can destruct a RefPtr of the SerializedScriptValue*, 11 depending on data that is serialized/deserialized. So we should keep a 12 RefPtr<SerializedScriptValue*> when we call serialize()/deserialize(). 13 (See https://bugs.webkit.org/show_bug.cgi?id=107792 for more details.) 14 15 No tests. This is just a just-in-case fix. I couldn't find any bug 16 even in an ASAN build. 17 18 * bindings/js/JSMessageEventCustom.cpp: 19 (WebCore::JSMessageEvent::data): 20 * bindings/v8/custom/V8MessageEventCustom.cpp: 21 (WebCore::V8MessageEvent::dataAccessorGetter): 22 * dom/MessageEvent.h: 23 (WebCore::MessageEvent::dataAsSerializedScriptValue): 24 1 25 2013-01-25 Kentaro Hara <haraken@chromium.org> 2 26 -
trunk/Source/WebCore/bindings/js/JSMessageEventCustom.cpp
r133953 r140891 63 63 64 64 case MessageEvent::DataTypeSerializedScriptValue: 65 if ( SerializedScriptValue*serializedValue = event->dataAsSerializedScriptValue()) {65 if (RefPtr<SerializedScriptValue> serializedValue = event->dataAsSerializedScriptValue()) { 66 66 MessagePortArray* ports = static_cast<MessageEvent*>(impl())->ports(); 67 67 result = serializedValue->deserialize(exec, globalObject(), ports, NonThrowing); -
trunk/Source/WebCore/bindings/v8/custom/V8MessageEventCustom.cpp
r140729 r140891 59 59 60 60 case MessageEvent::DataTypeSerializedScriptValue: 61 if ( SerializedScriptValue*serializedValue = event->dataAsSerializedScriptValue())61 if (RefPtr<SerializedScriptValue> serializedValue = event->dataAsSerializedScriptValue()) 62 62 result = serializedValue->deserialize(info.GetIsolate(), event->ports()); 63 63 else -
trunk/Source/WebCore/dom/MessageEvent.h
r135587 r140891 109 109 DataType dataType() const { return m_dataType; } 110 110 const ScriptValue& dataAsScriptValue() const { ASSERT(m_dataType == DataTypeScriptValue); return m_dataAsScriptValue; } 111 SerializedScriptValue* dataAsSerializedScriptValue() const { ASSERT(m_dataType == DataTypeSerializedScriptValue); return m_dataAsSerializedScriptValue.get(); }111 PassRefPtr<SerializedScriptValue> dataAsSerializedScriptValue() const { ASSERT(m_dataType == DataTypeSerializedScriptValue); return m_dataAsSerializedScriptValue; } 112 112 String dataAsString() const { ASSERT(m_dataType == DataTypeString); return m_dataAsString; } 113 113 Blob* dataAsBlob() const { ASSERT(m_dataType == DataTypeBlob); return m_dataAsBlob.get(); }
Note: See TracChangeset
for help on using the changeset viewer.