Keep a RefPtr<SerializedScriptValue*> when we call serialize()/deserialize() for...
authorharaken@chromium.org <haraken@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sat, 26 Jan 2013 01:36:40 +0000 (01:36 +0000)
committerharaken@chromium.org <haraken@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sat, 26 Jan 2013 01:36:40 +0000 (01:36 +0000)
commit4738743d990b8e9c003fdd43165981166eebd060
tree0ade284f437d5b2c2f3f83411bc9b72e6a58a50a
parent1dd8c15b1aeb155e883457c32f9e5f64b2389411
Keep a RefPtr<SerializedScriptValue*> when we call serialize()/deserialize() for MessageEvent
https://bugs.webkit.org/show_bug.cgi?id=107900

Reviewed by Abhishek Arya.

If you use a raw SerializedScriptValue* for serialize()/deserialize(),
it can potentially cause a use-after-free. This is because serialize()/
deserialize() can destruct a RefPtr of the SerializedScriptValue*,
depending on data that is serialized/deserialized. So we should keep a
RefPtr<SerializedScriptValue*> when we call serialize()/deserialize().
(See https://bugs.webkit.org/show_bug.cgi?id=107792 for more details.)

No tests. This is just a just-in-case fix. I couldn't find any bug
even in an ASAN build.

* bindings/js/JSMessageEventCustom.cpp:
(WebCore::JSMessageEvent::data):
* bindings/v8/custom/V8MessageEventCustom.cpp:
(WebCore::V8MessageEvent::dataAccessorGetter):
* dom/MessageEvent.h:
(WebCore::MessageEvent::dataAsSerializedScriptValue):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@140891 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Source/WebCore/ChangeLog
Source/WebCore/bindings/js/JSMessageEventCustom.cpp
Source/WebCore/bindings/v8/custom/V8MessageEventCustom.cpp
Source/WebCore/dom/MessageEvent.h