Fixes UAF for SAB with failed d8 serialization

Bug=chromium:806582 Change-Id: I0d541903dfd1622ae6d4a2628c41dc28704680e6 Reviewed-on: https://chromium-review.googlesource.com/891626Reviewed-by: Ben Smith <binji@chromium.org> Commit-Queue: Malcolm White <malcolmwhite@google.com> Cr-Commit-Position: refs/heads/master@{#50972}

Fixes UAF for SAB with failed d8 serialization
Bug=chromium:806582 Change-Id: I0d541903dfd1622ae6d4a2628c41dc28704680e6 Reviewed-on: https://chromium-review.googlesource.com/891626Reviewed-by: Ben Smith <binji@chromium.org> Commit-Queue: Malcolm White <malcolmwhite@google.com> Cr-Commit-Position: refs/heads/master@{#50972}
1f2442ab · Malcolm White · Commit Bot · 2de48de7 · 1f2442ab · 1f2442ab
Commit 1f2442ab authored Jan 30, 2018 by Malcolm White Committed by Commit Bot Jan 30, 2018
Hide whitespace changes
Inline Side-by-side

Showing with 12 additions and 9 deletions

d8.cc src/d8.cc +12 -2

d8.h src/d8.h +0 -7

No files found.
--- a/src/d8.cc
+++ b/src/d8.cc
@@ -3085,6 +3085,13 @@ class Serializer : public ValueSerializer::Delegate {

  std::unique_ptr<SerializationData> Release() { return std::move(data_); }

+  void AppendExternalizedContentsTo(std::vector<ExternalizedContents>* to) {
+    to->insert(to->end(),
+               std::make_move_iterator(externalized_contents_.begin()),
+               std::make_move_iterator(externalized_contents_.end()));
+    externalized_contents_.clear();
+  }
+
 protected:
  // Implements ValueSerializer::Delegate.
  void ThrowDataCloneError(Local<String> message) override {
@@ -3157,7 +3164,7 @@ class Serializer : public ValueSerializer::Delegate {
      return array_buffer->GetContents();
    } else {
      typename T::Contents contents = array_buffer->Externalize();
-      data_->externalized_contents_.emplace_back(contents);
+      externalized_contents_.emplace_back(contents);
      return contents;
    }
  }
@@ -3184,6 +3191,7 @@ class Serializer : public ValueSerializer::Delegate {
  std::unique_ptr<SerializationData> data_;
  std::vector<Global<ArrayBuffer>> array_buffers_;
  std::vector<Global<SharedArrayBuffer>> shared_array_buffers_;
+  std::vector<ExternalizedContents> externalized_contents_;
  size_t current_memory_usage_;

  DISALLOW_COPY_AND_ASSIGN(Serializer);
@@ -3242,9 +3250,11 @@ std::unique_ptr<SerializationData> Shell::SerializeValue(
  if (serializer.WriteValue(context, value, transfer).To(&ok)) {
    std::unique_ptr<SerializationData> data = serializer.Release();
    base::LockGuard<base::Mutex> lock_guard(workers_mutex_.Pointer());
-    data->AppendExternalizedContentsTo(&externalized_contents_);
+    serializer.AppendExternalizedContentsTo(&externalized_contents_);
    return data;
  }
+  // Append externalized contents even when WriteValue fails.
+  serializer.AppendExternalizedContentsTo(&externalized_contents_);
  return nullptr;
 }


--- a/src/d8.h
+++ b/src/d8.h
@@ -197,12 +197,6 @@ class SerializationData {
    return shared_array_buffer_contents_;
  }

-  void AppendExternalizedContentsTo(std::vector<ExternalizedContents>* to) {
-    to->insert(to->end(),
-               std::make_move_iterator(externalized_contents_.begin()),
-               std::make_move_iterator(externalized_contents_.end()));
-    externalized_contents_.clear();
-  }

 private:
  struct DataDeleter {
@@ -213,7 +207,6 @@ class SerializationData {
  size_t size_;
  std::vector<ArrayBuffer::Contents> array_buffer_contents_;
  std::vector<SharedArrayBuffer::Contents> shared_array_buffer_contents_;
-  std::vector<ExternalizedContents> externalized_contents_;

 private:
  friend class Serializer;