Diff
Modified: trunk/LayoutTests/ChangeLog (86898 => 86899)
--- trunk/LayoutTests/ChangeLog 2011-05-19 22:13:58 UTC (rev 86898)
+++ trunk/LayoutTests/ChangeLog 2011-05-19 22:29:24 UTC (rev 86899)
@@ -1,3 +1,14 @@
+2011-05-19 Andrew Wilson <[email protected]>
+
+ Reviewed by Darin Adler.
+
+ MessagePortArray cloning code needs to verify source before copying
+ https://bugs.webkit.org/show_bug.cgi?id=61130
+
+ * fast/events/message-port-multi-expected.txt:
+ * fast/events/resources/message-port-multi.js:
+ Added test for "passing an array with an item at a really large index" to postMessage().
+
2011-05-19 Justin Schuh <[email protected]>
Unreviewed.
Modified: trunk/LayoutTests/fast/events/message-port-multi-expected.txt (86898 => 86899)
--- trunk/LayoutTests/fast/events/message-port-multi-expected.txt 2011-05-19 22:13:58 UTC (rev 86898)
+++ trunk/LayoutTests/fast/events/message-port-multi-expected.txt 2011-05-19 22:29:24 UTC (rev 86899)
@@ -9,6 +9,7 @@
PASS channel.port1.postMessage("notAPort", [channel3.port1, {}, channel3.port2]) threw exception TypeError: Type error.
PASS channel.port1.postMessage("notAnArray", channel3.port1) threw exception TypeError: Type error.
PASS channel.port1.postMessage("notASequence", [{length: 3}]) threw exception TypeError: Type error.
+PASS channel.port1.postMessage("largeSequence", largePortArray) threw exception Error: INVALID_STATE_ERR: DOM Exception 11.
PASS event.ports is null when no port sent
PASS event.ports is null when empty array sent
PASS event.ports contains two ports when two ports sent
Modified: trunk/LayoutTests/fast/events/resources/message-port-multi.js (86898 => 86899)
--- trunk/LayoutTests/fast/events/resources/message-port-multi.js 2011-05-19 22:13:58 UTC (rev 86898)
+++ trunk/LayoutTests/fast/events/resources/message-port-multi.js 2011-05-19 22:29:24 UTC (rev 86899)
@@ -8,6 +8,7 @@
var channel = new MessageChannel();
var channel2 = new MessageChannel();
var channel3 = new MessageChannel();
+var channel4 = new MessageChannel();
channel.port1.postMessage("noport");
channel.port1.postMessage("zero ports", []);
@@ -24,6 +25,12 @@
shouldThrow('channel.port1.postMessage("notAnArray", channel3.port1)')
shouldThrow('channel.port1.postMessage("notASequence", [{length: 3}])');
+// Should not crash (we should figure out that the array contains undefined
+// entries).
+var largePortArray = [];
+largePortArray[1234567890] = channel4.port1;
+shouldThrow('channel.port1.postMessage("largeSequence", largePortArray)');
+
channel.port1.postMessage("done");
channel.port2._onmessage_ = function(event) {
Modified: trunk/Source/WebCore/ChangeLog (86898 => 86899)
--- trunk/Source/WebCore/ChangeLog 2011-05-19 22:13:58 UTC (rev 86898)
+++ trunk/Source/WebCore/ChangeLog 2011-05-19 22:29:24 UTC (rev 86899)
@@ -1,3 +1,17 @@
+2011-05-19 Andrew Wilson <[email protected]>
+
+ Reviewed by Darin Adler.
+
+ MessagePortArray cloning code needs to verify source before copying.
+ https://bugs.webkit.org/show_bug.cgi?id=61130
+
+ * bindings/js/JSMessagePortCustom.cpp:
+ (WebCore::fillMessagePortArray):
+ Changed code to not pre-allocate the destination array.
+ * bindings/v8/custom/V8MessagePortCustom.cpp:
+ (WebCore::getMessagePortArray):
+ Changed code to not pre-allocate the destination array.
+
2011-05-19 Sheriff Bot <[email protected]>
Unreviewed, rolling out r86869, r86873, r86875, and r86877.
Modified: trunk/Source/WebCore/bindings/js/JSMessagePortCustom.cpp (86898 => 86899)
--- trunk/Source/WebCore/bindings/js/JSMessagePortCustom.cpp 2011-05-19 22:13:58 UTC (rev 86898)
+++ trunk/Source/WebCore/bindings/js/JSMessagePortCustom.cpp 2011-05-19 22:29:24 UTC (rev 86899)
@@ -75,7 +75,6 @@
if (exec->hadException())
return;
- portArray.resize(length);
for (unsigned i = 0 ; i < length; ++i) {
JSValue value = object->get(exec, i);
if (exec->hadException())
@@ -92,7 +91,7 @@
throwTypeError(exec);
return;
}
- portArray[i] = port.release();
+ portArray.append(port.release());
}
}
Modified: trunk/Source/WebCore/bindings/v8/custom/V8MessagePortCustom.cpp (86898 => 86899)
--- trunk/Source/WebCore/bindings/v8/custom/V8MessagePortCustom.cpp 2011-05-19 22:13:58 UTC (rev 86898)
+++ trunk/Source/WebCore/bindings/v8/custom/V8MessagePortCustom.cpp 2011-05-19 22:29:24 UTC (rev 86899)
@@ -86,8 +86,8 @@
}
length = sequenceLength->Uint32Value();
}
- portArray.resize(length);
+ // Validate the passed array of ports.
for (unsigned int i = 0; i < length; ++i) {
v8::Local<v8::Value> port = ports->Get(v8::Integer::New(i));
// Validation of non-null objects, per HTML5 spec 8.3.3.
@@ -100,7 +100,7 @@
throwError("MessagePortArray argument must contain only MessagePorts");
return false;
}
- portArray[i] = V8MessagePort::toNative(v8::Handle<v8::Object>::Cast(port));
+ portArray.append(V8MessagePort::toNative(v8::Handle<v8::Object>::Cast(port)));
}
return true;
}
