Title: [135804] trunk
- Revision
- 135804
- Author
- commit-qu...@webkit.org
- Date
- 2012-11-26 19:40:59 -0800 (Mon, 26 Nov 2012)
Log Message
Check for empty perContextData while creating NP V8 Object.
https://bugs.webkit.org/show_bug.cgi?id=98448
Patch by Istiaque Ahmed <lazy...@chromium.org> on 2012-11-26
Reviewed by Adam Barth.
Fixes crash in npCreateV8ScriptObject(), if NP Invoke is called from a document
that is no longer displayed in frame (isCurrentlyDisplayedInFrame() ==
false), we have empty perContextData and this results in invalid memory access.
Source/WebCore:
Test: platform/chromium/plugins/empty-per-context-data.html
* bindings/v8/NPV8Object.cpp:
(WebCore::npCreateV8ScriptObject):
LayoutTests:
* platform/chromium/plugins/empty-per-context-data-expected.txt: Added.
* platform/chromium/plugins/empty-per-context-data.html: Added.
* platform/chromium/plugins/resources/script-container.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (135803 => 135804)
--- trunk/LayoutTests/ChangeLog 2012-11-27 03:04:42 UTC (rev 135803)
+++ trunk/LayoutTests/ChangeLog 2012-11-27 03:40:59 UTC (rev 135804)
@@ -1,3 +1,18 @@
+2012-11-26 Istiaque Ahmed <lazy...@chromium.org>
+
+ Check for empty perContextData while creating NP V8 Object.
+ https://bugs.webkit.org/show_bug.cgi?id=98448
+
+ Reviewed by Adam Barth.
+
+ Fixes crash in npCreateV8ScriptObject(), if NP Invoke is called from a document
+ that is no longer displayed in frame (isCurrentlyDisplayedInFrame() ==
+ false), we have empty perContextData and this results in invalid memory access.
+
+ * platform/chromium/plugins/empty-per-context-data-expected.txt: Added.
+ * platform/chromium/plugins/empty-per-context-data.html: Added.
+ * platform/chromium/plugins/resources/script-container.html: Added.
+
2012-11-26 Daniel Bates <dba...@webkit.org>
_javascript_ fails to handle String.replace() with large replacement string
Added: trunk/LayoutTests/platform/chromium/plugins/empty-per-context-data-expected.txt (0 => 135804)
--- trunk/LayoutTests/platform/chromium/plugins/empty-per-context-data-expected.txt (rev 0)
+++ trunk/LayoutTests/platform/chromium/plugins/empty-per-context-data-expected.txt 2012-11-27 03:40:59 UTC (rev 135804)
@@ -0,0 +1,4 @@
+
+
+This tests that invoking a plugin object from a (iframe) document that is no longer visible in a frame doesn't crash the renderer. If this test is successful, the word SUCCESS should be seen below.
+SUCCESS
Added: trunk/LayoutTests/platform/chromium/plugins/empty-per-context-data.html (0 => 135804)
--- trunk/LayoutTests/platform/chromium/plugins/empty-per-context-data.html (rev 0)
+++ trunk/LayoutTests/platform/chromium/plugins/empty-per-context-data.html 2012-11-27 03:40:59 UTC (rev 135804)
@@ -0,0 +1,29 @@
+<!DOCTYPE html>
+<html>
+<script type="text/_javascript_">
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ // So that we can catch crash failure.
+ testRunner.waitUntilDone();
+}
+
+function runTest() {
+ var p = document.getElementById('plg');
+ var iframe = document.getElementById('script-container-frame-id');
+ frameScriptFunction = iframe.contentWindow['new-script-object-in-frame'];
+ iframe.parentNode.removeChild(iframe);
+ p.testScriptObjectInvoke('frameScriptFunction', 'createObject');
+ document.getElementById('result').innerHTML = 'SUCCESS';
+ if (window.testRunner)
+ testRunner.notifyDone();
+}
+
+</script>
+<body>
+<embed id="plg" type="application/x-webkit-test-netscape"></embed><P>
+<iframe id="script-container-frame-id" src="" _onload_='runTest()'></iframe>
+<div>This tests that invoking a plugin object from a (iframe) document that is no longer visible in a frame doesn't crash the renderer. If this test is successful, the word SUCCESS should be seen below.</div>
+<div id="result">FAILED</div>
+</body>
+</html>
+
Added: trunk/LayoutTests/platform/chromium/plugins/resources/script-container.html (0 => 135804)
--- trunk/LayoutTests/platform/chromium/plugins/resources/script-container.html (rev 0)
+++ trunk/LayoutTests/platform/chromium/plugins/resources/script-container.html 2012-11-27 03:40:59 UTC (rev 135804)
@@ -0,0 +1,24 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <script type="text/_javascript_">
+ window['new-script-object-in-frame'] = function() {
+ return FactoryFunction();
+ };
+ // A simple script object with a member function that takes
+ // an NPObject as an argument
+ FactoryFunction = function() {
+ var TestObject = function() {
+ };
+ TestObject.prototype.createObject = function(plugin) {
+ var newObject = plugin.testCloneObject();
+ return newObject;
+ };
+ var instance = new TestObject();
+ return instance;
+ };
+ </script>
+</head>
+<body>
+</body>
+</html>
Modified: trunk/Source/WebCore/ChangeLog (135803 => 135804)
--- trunk/Source/WebCore/ChangeLog 2012-11-27 03:04:42 UTC (rev 135803)
+++ trunk/Source/WebCore/ChangeLog 2012-11-27 03:40:59 UTC (rev 135804)
@@ -1,3 +1,19 @@
+2012-11-26 Istiaque Ahmed <lazy...@chromium.org>
+
+ Check for empty perContextData while creating NP V8 Object.
+ https://bugs.webkit.org/show_bug.cgi?id=98448
+
+ Reviewed by Adam Barth.
+
+ Fixes crash in npCreateV8ScriptObject(), if NP Invoke is called from a document
+ that is no longer displayed in frame (isCurrentlyDisplayedInFrame() ==
+ false), we have empty perContextData and this results in invalid memory access.
+
+ Test: platform/chromium/plugins/empty-per-context-data.html
+
+ * bindings/v8/NPV8Object.cpp:
+ (WebCore::npCreateV8ScriptObject):
+
2012-11-26 Michael Saboff <msab...@apple.com>
HTML/XML parser helper unconsumeCharacters() can push back 8 bit text as 16 bit text
Modified: trunk/Source/WebCore/bindings/v8/NPV8Object.cpp (135803 => 135804)
--- trunk/Source/WebCore/bindings/v8/NPV8Object.cpp 2012-11-27 03:04:42 UTC (rev 135803)
+++ trunk/Source/WebCore/bindings/v8/NPV8Object.cpp 2012-11-27 03:40:59 UTC (rev 135804)
@@ -144,29 +144,33 @@
}
}
- int v8ObjectHash = object->GetIdentityHash();
- ASSERT(v8ObjectHash);
- V8NPObjectMap* v8NPObjectMap = V8PerContextData::from(object->CreationContext())->v8NPObjectMap();
- V8NPObjectMap::iterator iter = v8NPObjectMap->find(v8ObjectHash);
- if (iter != v8NPObjectMap->end()) {
- V8NPObjectVector& objects = iter->value;
- for (size_t index = 0; index < objects.size(); ++index) {
- V8NPObject* v8npObject = objects.at(index);
- if (v8npObject->rootObject == root) {
- ASSERT(v8npObject->v8Object == object);
- _NPN_RetainObject(&v8npObject->object);
- return reinterpret_cast<NPObject*>(v8npObject);
+ V8NPObjectVector* objectVector = 0;
+ if (V8PerContextData* perContextData = V8PerContextData::from(object->CreationContext())) {
+ int v8ObjectHash = object->GetIdentityHash();
+ ASSERT(v8ObjectHash);
+ V8NPObjectMap* v8NPObjectMap = perContextData->v8NPObjectMap();
+ V8NPObjectMap::iterator iter = v8NPObjectMap->find(v8ObjectHash);
+ if (iter != v8NPObjectMap->end()) {
+ V8NPObjectVector& objects = iter->value;
+ for (size_t index = 0; index < objects.size(); ++index) {
+ V8NPObject* v8npObject = objects.at(index);
+ if (v8npObject->rootObject == root) {
+ ASSERT(v8npObject->v8Object == object);
+ _NPN_RetainObject(&v8npObject->object);
+ return reinterpret_cast<NPObject*>(v8npObject);
+ }
}
+ } else {
+ iter = v8NPObjectMap->set(v8ObjectHash, V8NPObjectVector()).iterator;
+ objectVector = &iter->value;
}
- } else {
- iter = v8NPObjectMap->set(v8ObjectHash, V8NPObjectVector()).iterator;
}
-
V8NPObject* v8npObject = reinterpret_cast<V8NPObject*>(_NPN_CreateObject(npp, &V8NPObjectClass));
v8npObject->v8Object = v8::Persistent<v8::Object>::New(object);
v8npObject->rootObject = root;
- iter->value.append(v8npObject);
+ if (objectVector)
+ objectVector->append(v8npObject);
return reinterpret_cast<NPObject*>(v8npObject);
}
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo/webkit-changes
