[webkit-changes] [148341] branches/safari-536.30-branch/Source/WebCore

[rniwa]

Title: [148341] branches/safari-536.30-branch/Source/WebCore

Revision

148341

Author

rn...@webkit.org

Date

2013-04-12 20:15:35 -0700 (Fri, 12 Apr 2013)

Log Message

Merged r140891. <rdar://problem/13334946>

Modified Paths

branches/safari-536.30-branch/Source/WebCore/ChangeLog
branches/safari-536.30-branch/Source/WebCore/bindings/js/JSMessageEventCustom.cpp
branches/safari-536.30-branch/Source/WebCore/bindings/v8/custom/V8MessageEventCustom.cpp
branches/safari-536.30-branch/Source/WebCore/dom/MessageEvent.h

Diff

Modified: branches/safari-536.30-branch/Source/WebCore/ChangeLog (148340 => 148341)

--- branches/safari-536.30-branch/Source/WebCore/ChangeLog	2013-04-13 03:09:57 UTC (rev 148340)
+++ branches/safari-536.30-branch/Source/WebCore/ChangeLog	2013-04-13 03:15:35 UTC (rev 148341)
@@ -1,5 +1,33 @@
 2013-04-12  Ryosuke Niwa  <rn...@webkit.org>
 
+        Merge r140891
+
+    2013-01-25  Kentaro Hara  <hara...@chromium.org>
+
+            Keep a RefPtr<SerializedScriptValue*> when we call serialize()/deserialize() for MessageEvent
+            https://bugs.webkit.org/show_bug.cgi?id=107900
+
+            Reviewed by Abhishek Arya.
+
+            If you use a raw SerializedScriptValue* for serialize()/deserialize(),
+            it can potentially cause a use-after-free. This is because serialize()/
+            deserialize() can destruct a RefPtr of the SerializedScriptValue*,
+            depending on data that is serialized/deserialized. So we should keep a
+            RefPtr<SerializedScriptValue*> when we call serialize()/deserialize().
+            (See https://bugs.webkit.org/show_bug.cgi?id=107792 for more details.)
+
+            No tests. This is just a just-in-case fix. I couldn't find any bug
+            even in an ASAN build.
+
+            * bindings/js/JSMessageEventCustom.cpp:
+            (WebCore::JSMessageEvent::data):
+            * bindings/v8/custom/V8MessageEventCustom.cpp:
+            (WebCore::V8MessageEvent::dataAccessorGetter):
+            * dom/MessageEvent.h:
+            (WebCore::MessageEvent::dataAsSerializedScriptValue):
+
+2013-04-12  Ryosuke Niwa  <rn...@webkit.org>
+
         Merge r140748.
 
     2013-01-24  Kentaro Hara  <hara...@chromium.org>

Modified: branches/safari-536.30-branch/Source/WebCore/bindings/js/JSMessageEventCustom.cpp (148340 => 148341)

--- branches/safari-536.30-branch/Source/WebCore/bindings/js/JSMessageEventCustom.cpp	2013-04-13 03:09:57 UTC (rev 148340)
+++ branches/safari-536.30-branch/Source/WebCore/bindings/js/JSMessageEventCustom.cpp	2013-04-13 03:15:35 UTC (rev 148341)
@@ -62,7 +62,7 @@
     }
 
     case MessageEvent::DataTypeSerializedScriptValue:
-        if (SerializedScriptValue* serializedValue = event->dataAsSerializedScriptValue()) {
+        if (RefPtr<SerializedScriptValue> serializedValue = event->dataAsSerializedScriptValue()) {
             MessagePortArray* ports = static_cast<MessageEvent*>(impl())->ports();
             result = serializedValue->deserialize(exec, globalObject(), ports, NonThrowing);
         }

Modified: branches/safari-536.30-branch/Source/WebCore/bindings/v8/custom/V8MessageEventCustom.cpp (148340 => 148341)

--- branches/safari-536.30-branch/Source/WebCore/bindings/v8/custom/V8MessageEventCustom.cpp	2013-04-13 03:09:57 UTC (rev 148340)
+++ branches/safari-536.30-branch/Source/WebCore/bindings/v8/custom/V8MessageEventCustom.cpp	2013-04-13 03:15:35 UTC (rev 148341)
@@ -60,7 +60,7 @@
     }
 
     case MessageEvent::DataTypeSerializedScriptValue:
-        if (SerializedScriptValue* serializedValue = event->dataAsSerializedScriptValue())
+        if (RefPtr<SerializedScriptValue> serializedValue = event->dataAsSerializedScriptValue())
             result = serializedValue->deserialize(event->ports(), info.GetIsolate());
         else
             result = v8::Null();

Modified: branches/safari-536.30-branch/Source/WebCore/dom/MessageEvent.h (148340 => 148341)

--- branches/safari-536.30-branch/Source/WebCore/dom/MessageEvent.h	2013-04-13 03:09:57 UTC (rev 148340)
+++ branches/safari-536.30-branch/Source/WebCore/dom/MessageEvent.h	2013-04-13 03:15:35 UTC (rev 148341)
@@ -108,7 +108,7 @@
     };
     DataType dataType() const { return m_dataType; }
     ScriptValue dataAsScriptValue() const { ASSERT(m_dataType == DataTypeScriptValue); return m_dataAsScriptValue; }
-    SerializedScriptValue* dataAsSerializedScriptValue() const { ASSERT(m_dataType == DataTypeSerializedScriptValue); return m_dataAsSerializedScriptValue.get(); }
+    PassRefPtr<SerializedScriptValue> dataAsSerializedScriptValue() const { ASSERT(m_dataType == DataTypeSerializedScriptValue); return m_dataAsSerializedScriptValue; }
     String dataAsString() const { ASSERT(m_dataType == DataTypeString); return m_dataAsString; }
     Blob* dataAsBlob() const { ASSERT(m_dataType == DataTypeBlob); return m_dataAsBlob.get(); }
     ArrayBuffer* dataAsArrayBuffer() const { ASSERT(m_dataType == DataTypeArrayBuffer); return m_dataAsArrayBuffer.get(); }

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes