[webkit-changes] [140887] trunk/Source/WebCore

Fri, 25 Jan 2013 17:26:53 -0800

Title: [140887] trunk/Source/WebCore
Revision
140887
Author
hara...@chromium.org
Date
2013-01-25 17:28:40 -0800 (Fri, 25 Jan 2013)

Log Message

[V8] Keep a RefPtr<SerializedScriptValue*> when we call serialize()/deserialize() (part 1)
https://bugs.webkit.org/show_bug.cgi?id=107891

Reviewed by Abhishek Arya.

If you use a raw SerializedScriptValue* for serialize()/deserialize(),
it can potentially cause a use-after-free. This is because serialize()/
deserialize() can destruct a RefPtr of the SerializedScriptValue*,
depending on data that is serialized/deserialized. So we should keep a
RefPtr<SerializedScriptValue*> when we call serialize()/deserialize().
(See https://bugs.webkit.org/show_bug.cgi?id=107792 for more details.)

No tests. This is just a just-in-case fix. I couldn't find any bug
even in an ASAN build.

* bindings/v8/custom/V8CustomEventCustom.cpp:
(WebCore::V8CustomEvent::detailAccessorGetter):

Modified Paths

Diff

Modified: trunk/Source/WebCore/ChangeLog (140886 => 140887)


--- trunk/Source/WebCore/ChangeLog	2013-01-26 01:26:08 UTC (rev 140886)
+++ trunk/Source/WebCore/ChangeLog	2013-01-26 01:28:40 UTC (rev 140887)
@@ -1,5 +1,25 @@
 2013-01-25  Kentaro Hara  <hara...@chromium.org>
 
+        [V8] Keep a RefPtr<SerializedScriptValue*> when we call serialize()/deserialize() (part 1)
+        https://bugs.webkit.org/show_bug.cgi?id=107891
+
+        Reviewed by Abhishek Arya.
+
+        If you use a raw SerializedScriptValue* for serialize()/deserialize(),
+        it can potentially cause a use-after-free. This is because serialize()/
+        deserialize() can destruct a RefPtr of the SerializedScriptValue*,
+        depending on data that is serialized/deserialized. So we should keep a
+        RefPtr<SerializedScriptValue*> when we call serialize()/deserialize().
+        (See https://bugs.webkit.org/show_bug.cgi?id=107792 for more details.)
+
+        No tests. This is just a just-in-case fix. I couldn't find any bug
+        even in an ASAN build.
+
+        * bindings/v8/custom/V8CustomEventCustom.cpp:
+        (WebCore::V8CustomEvent::detailAccessorGetter):
+
+2013-01-25  Kentaro Hara  <hara...@chromium.org>
+
         Keep a RefPtr<SerializedScriptValue*> when we call serialize()/deserialize() in PopStateEvent
         https://bugs.webkit.org/show_bug.cgi?id=107904

Modified: trunk/Source/WebCore/bindings/v8/custom/V8CustomEventCustom.cpp (140886 => 140887)


--- trunk/Source/WebCore/bindings/v8/custom/V8CustomEventCustom.cpp	2013-01-26 01:26:08 UTC (rev 140886)
+++ trunk/Source/WebCore/bindings/v8/custom/V8CustomEventCustom.cpp	2013-01-26 01:28:40 UTC (rev 140887)
@@ -49,7 +49,7 @@
 v8::Handle<v8::Value> V8CustomEvent::detailAccessorGetter(v8::Local<v8::String> name, const v8::AccessorInfo& info)
 {
     CustomEvent* imp = V8CustomEvent::toNative(info.Holder());
-    SerializedScriptValue* serialized = imp->serializedScriptValue().get();
+    RefPtr<SerializedScriptValue> serialized = imp->serializedScriptValue();
     if (serialized) {
         v8::Handle<v8::Value> value = info.Holder()->GetHiddenValue(V8HiddenPropertyName::detail());
         if (value.IsEmpty()) {

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to