bcarrella/cef
1
0
Fork 0
mirror of https://bitbucket.org/chromiumembedded/cef synced 2025-06-05 21:39:12 +02:00
Code Issues Packages Projects Releases Wiki Activity

Revert "Fix potential use-after-free of V8TrackArrayBuffer (fixes issue #3074)"

Browse Source 
This reverts commit 64a1612b70.
This commit is contained in:
Marshall Greenblatt
2021-03-22 19:44:42 -04:00
parent 288366c96d
commit 96404f1fd9
1 changed files with 6 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
libcef/renderer/v8_impl.cc
View File

@ -322,8 +322,7 @@ class V8TrackArrayBuffer : public CefTrackNode {
CefRefPtr<CefV8ArrayBufferReleaseCallback> release_callback) CefRefPtr<CefV8ArrayBufferReleaseCallback> release_callback)
: isolate_(isolate), : isolate_(isolate),
buffer_(buffer), buffer_(buffer),
release_callback_(release_callback), release_callback_(release_callback) {
weak_ptr_factory_(this) {
DCHECK(isolate_); DCHECK(isolate_);
isolate_->AdjustAmountOfExternalAllocatedMemory( isolate_->AdjustAmountOfExternalAllocatedMemory(
static_cast<int>(sizeof(V8TrackArrayBuffer))); static_cast<int>(sizeof(V8TrackArrayBuffer)));
@ -366,16 +365,10 @@ class V8TrackArrayBuffer : public CefTrackNode {
return nullptr; return nullptr;
} }
base::WeakPtr<V8TrackArrayBuffer> GetWeakPtr() const {
return weak_ptr_factory_.GetWeakPtr();
}
private: private:
v8::Isolate* isolate_; v8::Isolate* isolate_;
void* buffer_; void* buffer_;
CefRefPtr<CefV8ArrayBufferReleaseCallback> release_callback_; CefRefPtr<CefV8ArrayBufferReleaseCallback> release_callback_;
base::WeakPtrFactory<V8TrackArrayBuffer> weak_ptr_factory_;
}; };
// Object wrapped in a v8::External and passed as the Data argument to // Object wrapped in a v8::External and passed as the Data argument to
@ -1423,24 +1416,15 @@ CefRefPtr<CefV8Value> CefV8Value::CreateArrayBuffer(
V8TrackArrayBuffer* tracker = V8TrackArrayBuffer* tracker =
new V8TrackArrayBuffer(isolate, buffer, release_callback); new V8TrackArrayBuffer(isolate, buffer, release_callback);
struct WeakPtrWrapper {
WeakPtrWrapper(V8TrackArrayBuffer* tracker) {
weak_ptr_ = tracker->GetWeakPtr();
}
base::WeakPtr<V8TrackArrayBuffer> weak_ptr_;
};
auto deleter = [](void* data, size_t length, void* deleter_data) { auto deleter = [](void* data, size_t length, void* deleter_data) {
auto* wrapper = reinterpret_cast<WeakPtrWrapper*>(deleter_data); auto* tracker = reinterpret_cast<V8TrackArrayBuffer*>(deleter_data);
if (wrapper) { if (tracker) {
if (wrapper->weak_ptr_) tracker->ReleaseBuffer();
wrapper->weak_ptr_->ReleaseBuffer();
delete wrapper;
} }
}; };
std::unique_ptr<v8::BackingStore> backing = v8::ArrayBuffer::NewBackingStore( std::unique_ptr<v8::BackingStore> backing =
buffer, length, deleter, new WeakPtrWrapper(tracker)); v8::ArrayBuffer::NewBackingStore(buffer, length, deleter, tracker);
v8::Local<v8::ArrayBuffer> ab = v8::Local<v8::ArrayBuffer> ab =
v8::ArrayBuffer::New(isolate, std::move(backing)); v8::ArrayBuffer::New(isolate, std::move(backing));