Title: [148343] branches/safari-536.30-branch/Source/WebCore
- Revision
- 148343
- Author
- [email protected]
- Date
- 2013-04-12 21:15:15 -0700 (Fri, 12 Apr 2013)
Log Message
Merged r140886. <rdar://problem/13334946>
Modified Paths
Diff
Modified: branches/safari-536.30-branch/Source/WebCore/ChangeLog (148342 => 148343)
--- branches/safari-536.30-branch/Source/WebCore/ChangeLog 2013-04-13 03:52:37 UTC (rev 148342)
+++ branches/safari-536.30-branch/Source/WebCore/ChangeLog 2013-04-13 04:15:15 UTC (rev 148343)
@@ -1,5 +1,32 @@
2013-04-12 Ryosuke Niwa <[email protected]>
+ Merge 140886
+
+ 2013-01-25 Kentaro Hara <[email protected]>
+
+ Keep a RefPtr<SerializedScriptValue*> when we call serialize()/deserialize() in PopStateEvent
+ https://bugs.webkit.org/show_bug.cgi?id=107904
+
+ Reviewed by Abhishek Arya.
+
+ If you use a raw SerializedScriptValue* for serialize()/deserialize(),
+ it can potentially cause a use-after-free. This is because serialize()/
+ deserialize() can destruct a RefPtr of the SerializedScriptValue*,
+ depending on data that is serialized/deserialized. So we should keep a
+ RefPtr<SerializedScriptValue*> when we call serialize()/deserialize().
+ (See https://bugs.webkit.org/show_bug.cgi?id=107792 for more details.)
+
+ No tests. This is just a just-in-case fix.
+
+ * dom/PopStateEvent.h:
+ (WebCore::PopStateEvent::serializedState):
+ * page/History.cpp:
+ (WebCore::History::isSameAsCurrentState):
+ * page/History.h:
+ (History):
+
+2013-04-12 Ryosuke Niwa <[email protected]>
+
Merge r140892
2013-01-25 Kentaro Hara <[email protected]>
Modified: branches/safari-536.30-branch/Source/WebCore/dom/PopStateEvent.h (148342 => 148343)
--- branches/safari-536.30-branch/Source/WebCore/dom/PopStateEvent.h 2013-04-13 03:52:37 UTC (rev 148342)
+++ branches/safari-536.30-branch/Source/WebCore/dom/PopStateEvent.h 2013-04-13 04:15:15 UTC (rev 148343)
@@ -48,7 +48,7 @@
static PassRefPtr<PopStateEvent> create(PassRefPtr<SerializedScriptValue>, PassRefPtr<History>);
static PassRefPtr<PopStateEvent> create(const AtomicString&, const PopStateEventInit&);
- SerializedScriptValue* serializedState() const { return m_serializedState.get(); }
+ PassRefPtr<SerializedScriptValue> serializedState() const { return m_serializedState; }
ScriptValue state() const { return m_state; }
History* history() const { return m_history.get(); }
Modified: branches/safari-536.30-branch/Source/WebCore/page/History.cpp (148342 => 148343)
--- branches/safari-536.30-branch/Source/WebCore/page/History.cpp 2013-04-13 03:52:37 UTC (rev 148342)
+++ branches/safari-536.30-branch/Source/WebCore/page/History.cpp 2013-04-13 04:15:15 UTC (rev 148343)
@@ -77,7 +77,7 @@
return m_lastStateObjectRequested != stateInternal();
}
-bool History::isSameAsCurrentState(SerializedScriptValue* state) const
+bool History::isSameAsCurrentState(PassRefPtr<SerializedScriptValue> state) const
{
return state == stateInternal();
}
Modified: branches/safari-536.30-branch/Source/WebCore/page/History.h (148342 => 148343)
--- branches/safari-536.30-branch/Source/WebCore/page/History.h 2013-04-13 03:52:37 UTC (rev 148342)
+++ branches/safari-536.30-branch/Source/WebCore/page/History.h 2013-04-13 04:15:15 UTC (rev 148343)
@@ -55,7 +55,7 @@
void go(ScriptExecutionContext*, int distance);
bool stateChanged() const;
- bool isSameAsCurrentState(SerializedScriptValue*) const;
+ bool isSameAsCurrentState(PassRefPtr<SerializedScriptValue>) const;
enum StateObjectType {
StateObjectPush,
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
