[webkit-changes] [127158] trunk/Source/WebKit2

Thu, 30 Aug 2012 10:40:30 -0700

Title: [127158] trunk/Source/WebKit2
Revision
127158
Author
[email protected]
Date
2012-08-30 10:41:10 -0700 (Thu, 30 Aug 2012)

Log Message

JSNPObject doesn't always protect its data when calling into plugin code
https://bugs.webkit.org/show_bug.cgi?id=95394

Reviewed by Brady Eidson.

We need to use NPRuntimeObjectMap::PluginProtector when calling into plugin code since 
there's no telling what the plugin will do, including destroying itself.

* WebProcess/Plugins/Netscape/JSNPObject.cpp:
(WebKit::JSNPObject::getOwnPropertySlot):
(WebKit::JSNPObject::getOwnPropertyDescriptor):

Modified Paths

Diff

Modified: trunk/Source/WebKit2/ChangeLog (127157 => 127158)


--- trunk/Source/WebKit2/ChangeLog	2012-08-30 17:32:57 UTC (rev 127157)
+++ trunk/Source/WebKit2/ChangeLog	2012-08-30 17:41:10 UTC (rev 127158)
@@ -1,3 +1,17 @@
+2012-08-29  Mark Hahnenberg  <[email protected]>
+
+        JSNPObject doesn't always protect its data when calling into plugin code
+        https://bugs.webkit.org/show_bug.cgi?id=95394
+
+        Reviewed by Brady Eidson.
+
+        We need to use NPRuntimeObjectMap::PluginProtector when calling into plugin code since 
+        there's no telling what the plugin will do, including destroying itself.
+
+        * WebProcess/Plugins/Netscape/JSNPObject.cpp:
+        (WebKit::JSNPObject::getOwnPropertySlot):
+        (WebKit::JSNPObject::getOwnPropertyDescriptor):
+
 2012-08-30  Mike Sierra  <[email protected]>
 
         [QT][WK2] webview API doc

Modified: trunk/Source/WebKit2/WebProcess/Plugins/Netscape/JSNPObject.cpp (127157 => 127158)


--- trunk/Source/WebKit2/WebProcess/Plugins/Netscape/JSNPObject.cpp	2012-08-30 17:32:57 UTC (rev 127157)
+++ trunk/Source/WebKit2/WebProcess/Plugins/Netscape/JSNPObject.cpp	2012-08-30 17:41:10 UTC (rev 127158)
@@ -268,6 +268,11 @@
     
     NPIdentifier npIdentifier = npIdentifierFromIdentifier(propertyName);
 
+    // Calling NPClass::invoke will call into plug-in code, and there's no telling what the plug-in can do.
+    // (including destroying the plug-in). Because of this, we make sure to keep the plug-in alive until 
+    // the call has finished.
+    NPRuntimeObjectMap::PluginProtector protector(thisObject->m_objectMap);
+
     // First, check if the NPObject has a property with this name.
     if (thisObject->m_npObject->_class->hasProperty && thisObject->m_npObject->_class->hasProperty(thisObject->m_npObject, npIdentifier)) {
         slot.setCustom(thisObject, thisObject->propertyGetter);
@@ -294,6 +299,11 @@
 
     NPIdentifier npIdentifier = npIdentifierFromIdentifier(propertyName);
 
+    // Calling NPClass::invoke will call into plug-in code, and there's no telling what the plug-in can do.
+    // (including destroying the plug-in). Because of this, we make sure to keep the plug-in alive until 
+    // the call has finished.
+    NPRuntimeObjectMap::PluginProtector protector(thisObject->m_objectMap);
+
     // First, check if the NPObject has a property with this name.
     if (thisObject->m_npObject->_class->hasProperty && thisObject->m_npObject->_class->hasProperty(thisObject->m_npObject, npIdentifier)) {
         PropertySlot slot;

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to