From 7ab42b1fb12539d9753f6e21889e2396b3bdff51 Mon Sep 17 00:00:00 2001 From: "commit-queue@webkit.org" Date: Thu, 22 Sep 2011 00:17:45 +0000 Subject: [PATCH] [Chromium] Protect message ports from being deleted in V8MessageEvent::portsAccessorGetter https://bugs.webkit.org/show_bug.cgi?id=68584 Patch by Sergey Glazunov on 2011-09-21 Reviewed by Adam Barth. Source/WebCore: Test: fast/dom/message-port-deleted-by-accessor.html * bindings/v8/custom/V8MessageEventCustom.cpp: (WebCore::V8MessageEvent::portsAccessorGetter): LayoutTests: * fast/dom/message-port-deleted-by-accessor-expected.txt: Added. * fast/dom/message-port-deleted-by-accessor.html: Added. git-svn-id: http://svn.webkit.org/repository/webkit/trunk@95689 268f45cc-cd09-0410-ab3c-d52691b4dbfc --- LayoutTests/ChangeLog | 10 +++++++++ .../message-port-deleted-by-accessor-expected.txt | 1 + .../fast/dom/message-port-deleted-by-accessor.html | 25 ++++++++++++++++++++++ Source/WebCore/ChangeLog | 12 +++++++++++ .../bindings/v8/custom/V8MessageEventCustom.cpp | 8 ++++--- 5 files changed, 53 insertions(+), 3 deletions(-) create mode 100644 LayoutTests/fast/dom/message-port-deleted-by-accessor-expected.txt create mode 100644 LayoutTests/fast/dom/message-port-deleted-by-accessor.html diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog index c89e1bc..d610a29 100644 --- a/LayoutTests/ChangeLog +++ b/LayoutTests/ChangeLog @@ -1,3 +1,13 @@ +2011-09-21 Sergey Glazunov + + [Chromium] Protect message ports from being deleted in V8MessageEvent::portsAccessorGetter + https://bugs.webkit.org/show_bug.cgi?id=68584 + + Reviewed by Adam Barth. + + * fast/dom/message-port-deleted-by-accessor-expected.txt: Added. + * fast/dom/message-port-deleted-by-accessor.html: Added. + 2011-09-21 David Levin [chromium] Rebaselines for passing tests and expectation updates/narrowing. diff --git a/LayoutTests/fast/dom/message-port-deleted-by-accessor-expected.txt b/LayoutTests/fast/dom/message-port-deleted-by-accessor-expected.txt new file mode 100644 index 0000000..730ebf6 --- /dev/null +++ b/LayoutTests/fast/dom/message-port-deleted-by-accessor-expected.txt @@ -0,0 +1 @@ +This test passes if it doesn't crash. diff --git a/LayoutTests/fast/dom/message-port-deleted-by-accessor.html b/LayoutTests/fast/dom/message-port-deleted-by-accessor.html new file mode 100644 index 0000000..9a6f495 --- /dev/null +++ b/LayoutTests/fast/dom/message-port-deleted-by-accessor.html @@ -0,0 +1,25 @@ + + + + + +This test passes if it doesn't crash. + + diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog index c48917f..f3ba2b9 100644 --- a/Source/WebCore/ChangeLog +++ b/Source/WebCore/ChangeLog @@ -1,3 +1,15 @@ +2011-09-21 Sergey Glazunov + + [Chromium] Protect message ports from being deleted in V8MessageEvent::portsAccessorGetter + https://bugs.webkit.org/show_bug.cgi?id=68584 + + Reviewed by Adam Barth. + + Test: fast/dom/message-port-deleted-by-accessor.html + + * bindings/v8/custom/V8MessageEventCustom.cpp: + (WebCore::V8MessageEvent::portsAccessorGetter): + 2011-09-21 Anders Carlsson Add back protection against the NSView going away while handling mouseDown diff --git a/Source/WebCore/bindings/v8/custom/V8MessageEventCustom.cpp b/Source/WebCore/bindings/v8/custom/V8MessageEventCustom.cpp index b99672d..6047cdd 100644 --- a/Source/WebCore/bindings/v8/custom/V8MessageEventCustom.cpp +++ b/Source/WebCore/bindings/v8/custom/V8MessageEventCustom.cpp @@ -88,10 +88,12 @@ v8::Handle V8MessageEvent::portsAccessorGetter(v8::Local MessagePortArray* ports = event->ports(); if (!ports) return v8::Array::New(0); + + MessagePortArray portsCopy(*ports); - v8::Local portArray = v8::Array::New(ports->size()); - for (size_t i = 0; i < ports->size(); ++i) - portArray->Set(v8::Integer::New(i), toV8((*ports)[i].get())); + v8::Local portArray = v8::Array::New(portsCopy.size()); + for (size_t i = 0; i < portsCopy.size(); ++i) + portArray->Set(v8::Integer::New(i), toV8(portsCopy[i].get())); return portArray; } -- 2.7.4