[webkit-changes] [117108] trunk/Source

[kling]

Title: [117108] trunk/Source

Revision

117108

Author

kl...@webkit.org

Date

2012-05-15 11:51:02 -0700 (Tue, 15 May 2012)

Log Message

Deep copy PluginModuleInfo before passing across thread boundary.
<http://webkit.org/b/86491>
<rdar://problem/11451178>

Reviewed by Anders Carlsson.

Source/WebCore:

* plugins/PluginData.h:
(MimeClassInfo):
(WebCore::MimeClassInfo::isolatedCopy):
(PluginInfo):
(WebCore::PluginInfo::isolatedCopy):

Source/WebKit2:

Since the vector of PluginModuleInfo objects returned by PluginInfoStore::plugins()
can end up being passed to another thread, we should clone it to make sure it's
safe to do so.

No new tests, speculative use-after-free fix.

* Shared/Plugins/PluginModuleInfo.h:
(PluginModuleInfo):
(WebKit::PluginModuleInfo::isolatedCopy):
* UIProcess/Plugins/PluginInfoStore.cpp:
(WebKit::PluginInfoStore::plugins):

Modified Paths

• trunk/Source/WebCore/ChangeLog
• trunk/Source/WebCore/plugins/PluginData.h
• trunk/Source/WebKit2/ChangeLog
• trunk/Source/WebKit2/Shared/Plugins/PluginModuleInfo.h
• trunk/Source/WebKit2/UIProcess/Plugins/PluginInfoStore.cpp

Diff

Modified: trunk/Source/WebCore/ChangeLog (117107 => 117108)

--- trunk/Source/WebCore/ChangeLog	2012-05-15 18:47:46 UTC (rev 117107)
+++ trunk/Source/WebCore/ChangeLog	2012-05-15 18:51:02 UTC (rev 117108)
@@ -1,3 +1,17 @@
+2012-05-15  Andreas Kling  <kl...@webkit.org>
+
+        Deep copy PluginModuleInfo before passing across thread boundary.
+        <http://webkit.org/b/86491>
+        <rdar://problem/11451178>
+
+        Reviewed by Anders Carlsson.
+
+        * plugins/PluginData.h:
+        (MimeClassInfo):
+        (WebCore::MimeClassInfo::isolatedCopy):
+        (PluginInfo):
+        (WebCore::PluginInfo::isolatedCopy):
+
 2012-05-15  Sheriff Bot  <webkit.review....@gmail.com>
 
         Unreviewed, rolling out r116712.

Modified: trunk/Source/WebCore/plugins/PluginData.h (117107 => 117108)

--- trunk/Source/WebCore/plugins/PluginData.h	2012-05-15 18:47:46 UTC (rev 117107)
+++ trunk/Source/WebCore/plugins/PluginData.h	2012-05-15 18:51:02 UTC (rev 117108)
@@ -33,6 +33,16 @@
     String type;
     String desc;
     Vector<String> extensions;
+
+    MimeClassInfo isolatedCopy()
+    {
+        MimeClassInfo clone;
+        clone.type = type.isolatedCopy();
+        clone.desc = desc.isolatedCopy();
+        for (unsigned i = 0; i < extensions.size(); ++i)
+            clone.extensions.append(extensions[i].isolatedCopy());
+        return clone;
+    }
 };
 
 inline bool operator==(const MimeClassInfo& a, const MimeClassInfo& b)
@@ -45,6 +55,17 @@
     String file;
     String desc;
     Vector<MimeClassInfo> mimes;
+
+    PluginInfo isolatedCopy()
+    {
+        PluginInfo clone;
+        clone.name = name.isolatedCopy();
+        clone.file = file.isolatedCopy();
+        clone.desc = desc.isolatedCopy();
+        for (unsigned i = 0; i < mimes.size(); ++i)
+            clone.mimes.append(mimes[i].isolatedCopy());
+        return clone;
+    }
 };
 
 // FIXME: merge with PluginDatabase in the future

Modified: trunk/Source/WebKit2/ChangeLog (117107 => 117108)

--- trunk/Source/WebKit2/ChangeLog	2012-05-15 18:47:46 UTC (rev 117107)
+++ trunk/Source/WebKit2/ChangeLog	2012-05-15 18:51:02 UTC (rev 117108)
@@ -1,3 +1,23 @@
+2012-05-15  Andreas Kling  <kl...@webkit.org>
+
+        Deep copy PluginModuleInfo before passing across thread boundary.
+        <http://webkit.org/b/86491>
+        <rdar://problem/11451178>
+
+        Reviewed by Anders Carlsson.
+
+        Since the vector of PluginModuleInfo objects returned by PluginInfoStore::plugins()
+        can end up being passed to another thread, we should clone it to make sure it's
+        safe to do so.
+
+        No new tests, speculative use-after-free fix.
+
+        * Shared/Plugins/PluginModuleInfo.h:
+        (PluginModuleInfo):
+        (WebKit::PluginModuleInfo::isolatedCopy):
+        * UIProcess/Plugins/PluginInfoStore.cpp:
+        (WebKit::PluginInfoStore::plugins):
+
 2012-05-15  Andy Estes  <aes...@apple.com>
 
         Guard Netscape plug-in code with ENABLE(NETSCAPE_PLUGIN_API)

Modified: trunk/Source/WebKit2/Shared/Plugins/PluginModuleInfo.h (117107 => 117108)

--- trunk/Source/WebKit2/Shared/Plugins/PluginModuleInfo.h	2012-05-15 18:47:46 UTC (rev 117107)
+++ trunk/Source/WebKit2/Shared/Plugins/PluginModuleInfo.h	2012-05-15 18:51:02 UTC (rev 117108)
@@ -41,6 +41,21 @@
 #elif PLATFORM(WIN)
     uint64_t fileVersion;
 #endif
+
+    PluginModuleInfo isolatedCopy()
+    {
+        PluginModuleInfo clone;
+        clone.path = path.isolatedCopy();
+        clone.info = info.isolatedCopy();
+#if PLATFORM(MAC)
+        clone.pluginArchitecture = pluginArchitecture;
+        clone.bundleIdentifier = bundleIdentifier.isolatedCopy();
+        clone.versionString = versionString.isolatedCopy();
+#elif PLATFORM(WIN)
+        clone.fileVersion = fileVersion;
+#endif
+        return clone;
+    }
 };
 
 } // namespace WebKit

Modified: trunk/Source/WebKit2/UIProcess/Plugins/PluginInfoStore.cpp (117107 => 117108)

--- trunk/Source/WebKit2/UIProcess/Plugins/PluginInfoStore.cpp	2012-05-15 18:47:46 UTC (rev 117107)
+++ trunk/Source/WebKit2/UIProcess/Plugins/PluginInfoStore.cpp	2012-05-15 18:51:02 UTC (rev 117108)
@@ -115,7 +115,13 @@
 {
     MutexLocker locker(m_pluginsLock);
     loadPluginsIfNecessary();
-    return m_plugins;
+
+    // Let the copy begin!
+    Vector<PluginModuleInfo> infos;
+    for (unsigned i = 0; i < m_plugins.size(); ++i)
+        infos.append(m_plugins[i].isolatedCopy());
+
+    return infos;
 }
 
 PluginModuleInfo PluginInfoStore::findPluginForMIMEType(const String& mimeType) const

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes