Title: [140886] trunk/Source/WebCore
- Revision
- 140886
- Author
- [email protected]
- Date
- 2013-01-25 17:26:08 -0800 (Fri, 25 Jan 2013)
Log Message
Keep a RefPtr<SerializedScriptValue*> when we call serialize()/deserialize() in PopStateEvent
https://bugs.webkit.org/show_bug.cgi?id=107904
Reviewed by Abhishek Arya.
If you use a raw SerializedScriptValue* for serialize()/deserialize(),
it can potentially cause a use-after-free. This is because serialize()/
deserialize() can destruct a RefPtr of the SerializedScriptValue*,
depending on data that is serialized/deserialized. So we should keep a
RefPtr<SerializedScriptValue*> when we call serialize()/deserialize().
(See https://bugs.webkit.org/show_bug.cgi?id=107792 for more details.)
No tests. This is just a just-in-case fix.
* dom/PopStateEvent.h:
(WebCore::PopStateEvent::serializedState):
* page/History.cpp:
(WebCore::History::isSameAsCurrentState):
* page/History.h:
(History):
Modified Paths
Diff
Modified: trunk/Source/WebCore/ChangeLog (140885 => 140886)
--- trunk/Source/WebCore/ChangeLog 2013-01-26 01:13:15 UTC (rev 140885)
+++ trunk/Source/WebCore/ChangeLog 2013-01-26 01:26:08 UTC (rev 140886)
@@ -1,5 +1,28 @@
2013-01-25 Kentaro Hara <[email protected]>
+ Keep a RefPtr<SerializedScriptValue*> when we call serialize()/deserialize() in PopStateEvent
+ https://bugs.webkit.org/show_bug.cgi?id=107904
+
+ Reviewed by Abhishek Arya.
+
+ If you use a raw SerializedScriptValue* for serialize()/deserialize(),
+ it can potentially cause a use-after-free. This is because serialize()/
+ deserialize() can destruct a RefPtr of the SerializedScriptValue*,
+ depending on data that is serialized/deserialized. So we should keep a
+ RefPtr<SerializedScriptValue*> when we call serialize()/deserialize().
+ (See https://bugs.webkit.org/show_bug.cgi?id=107792 for more details.)
+
+ No tests. This is just a just-in-case fix.
+
+ * dom/PopStateEvent.h:
+ (WebCore::PopStateEvent::serializedState):
+ * page/History.cpp:
+ (WebCore::History::isSameAsCurrentState):
+ * page/History.h:
+ (History):
+
+2013-01-25 Kentaro Hara <[email protected]>
+
Rename CodeGenerator::IsSubType() to CodeGenerator::InheritsInterface()
https://bugs.webkit.org/show_bug.cgi?id=107874
Modified: trunk/Source/WebCore/dom/PopStateEvent.h (140885 => 140886)
--- trunk/Source/WebCore/dom/PopStateEvent.h 2013-01-26 01:13:15 UTC (rev 140885)
+++ trunk/Source/WebCore/dom/PopStateEvent.h 2013-01-26 01:26:08 UTC (rev 140886)
@@ -48,7 +48,7 @@
static PassRefPtr<PopStateEvent> create(PassRefPtr<SerializedScriptValue>, PassRefPtr<History>);
static PassRefPtr<PopStateEvent> create(const AtomicString&, const PopStateEventInit&);
- SerializedScriptValue* serializedState() const { return m_serializedState.get(); }
+ PassRefPtr<SerializedScriptValue> serializedState() const { return m_serializedState; }
const ScriptValue& state() const { return m_state; }
History* history() const { return m_history.get(); }
Modified: trunk/Source/WebCore/page/History.cpp (140885 => 140886)
--- trunk/Source/WebCore/page/History.cpp 2013-01-26 01:13:15 UTC (rev 140885)
+++ trunk/Source/WebCore/page/History.cpp 2013-01-26 01:26:08 UTC (rev 140886)
@@ -77,7 +77,7 @@
return m_lastStateObjectRequested != stateInternal();
}
-bool History::isSameAsCurrentState(SerializedScriptValue* state) const
+bool History::isSameAsCurrentState(PassRefPtr<SerializedScriptValue> state) const
{
return state == stateInternal();
}
Modified: trunk/Source/WebCore/page/History.h (140885 => 140886)
--- trunk/Source/WebCore/page/History.h 2013-01-26 01:13:15 UTC (rev 140885)
+++ trunk/Source/WebCore/page/History.h 2013-01-26 01:26:08 UTC (rev 140886)
@@ -55,7 +55,7 @@
void go(ScriptExecutionContext*, int distance);
bool stateChanged() const;
- bool isSameAsCurrentState(SerializedScriptValue*) const;
+ bool isSameAsCurrentState(PassRefPtr<SerializedScriptValue>) const;
enum StateObjectType {
StateObjectPush,
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo/webkit-changes
