Fix memory corruption with AdoptText method....

src/extensions/experimental/break-iterator.cc

 // Copyright 2011 the V8 project authors. All rights reserved.
 // Redistribution and use in source and binary forms, with or without
 // modification, are permitted provided that the following conditions are
 // met:
 //
 //     * Redistributions of source code must retain the above copyright
 //       notice, this list of conditions and the following disclaimer.
 //     * Redistributions in binary form must reproduce the above
 //       copyright notice, this list of conditions and the following
 //       disclaimer in the documentation and/or other materials provided
@@ skipping 28 matching lines @@
 icu::BreakIterator* BreakIterator::UnpackBreakIterator(
     v8::Handle<v8::Object> obj) {
   if (break_iterator_template_->HasInstance(obj)) {
     return static_cast<icu::BreakIterator*>(
         obj->GetPointerFromInternalField(0));
   }
 
   return NULL;
 }
 
+UnicodeString* BreakIterator::ResetAdoptedText(
+    v8::Handle<v8::Object> obj, v8::Handle<v8::Value> value) {
+  // Get the previous value from the internal field.
+  UnicodeString* text = static_cast<UnicodeString*>(
+      obj->GetPointerFromInternalField(1));
+  delete text;
+
+  // Assign new value to the internal pointer.
+  v8::String::Value text_value(value);
+  text = new UnicodeString(
+      reinterpret_cast<const UChar*>(*text_value), text_value.length());
+  obj->SetPointerInInternalField(1, text);
+
+  // Return new unicode string pointer.
+  return text;
+}
+
 void BreakIterator::DeleteBreakIterator(v8::Persistent<v8::Value> object,
                                         void* param) {
   v8::Persistent<v8::Object> persistent_object =
       v8::Persistent<v8::Object>::Cast(object);
 
   // First delete the hidden C++ object.
   // Unpacking should never return NULL here. That would only happen if
   // this method is used as the weak callback for persistent handles not
   // pointing to a break iterator.
   delete UnpackBreakIterator(persistent_object);
 
+  delete static_cast<UnicodeString*>(
+      persistent_object->GetPointerFromInternalField(1));
+
   // Then dispose of the persistent handle to JS object.
   persistent_object.Dispose();
 }
 
 // Throws a JavaScript exception.
 static v8::Handle<v8::Value> ThrowUnexpectedObjectError() {
   // Returns undefined, and schedules an exception to be thrown.
   return v8::ThrowException(v8::Exception::Error(
       v8::String::New("BreakIterator method called on an object "
                       "that is not a BreakIterator.")));
 }
 
 v8::Handle<v8::Value> BreakIterator::BreakIteratorAdoptText(
     const v8::Arguments& args) {
   if (args.Length() != 1 || !args[0]->IsString()) {
     return v8::ThrowException(v8::Exception::SyntaxError(
         v8::String::New("Text input is required.")));
   }
 
   icu::BreakIterator* break_iterator = UnpackBreakIterator(args.Holder());
   if (!break_iterator) {
     return ThrowUnexpectedObjectError();
   }
 
-  v8::String::Value text_value(args[0]);
-  UnicodeString text(
-      reinterpret_cast<const UChar*>(*text_value), text_value.length());
-
-  break_iterator->setText(text);
+  break_iterator->setText(*ResetAdoptedText(args.Holder(), args[0]));
 
   return v8::Undefined();
 }
 
 v8::Handle<v8::Value> BreakIterator::BreakIteratorFirst(
     const v8::Arguments& args) {
   icu::BreakIterator* break_iterator = UnpackBreakIterator(args.Holder());
   if (!break_iterator) {
     return ThrowUnexpectedObjectError();
   }
@@ skipping 86 matching lines @@
   }
 
   if (break_iterator_template_.IsEmpty()) {
     v8::Local<v8::FunctionTemplate> raw_template(v8::FunctionTemplate::New());
 
     raw_template->SetClassName(v8::String::New("v8Locale.v8BreakIterator"));
 
     // Define internal field count on instance template.
     v8::Local<v8::ObjectTemplate> object_template =
         raw_template->InstanceTemplate();
-    object_template->SetInternalFieldCount(1);
+
+    // Set aside internal fields for icu break iterator and adopted text.
+    object_template->SetInternalFieldCount(2);
 
     // Define all of the prototype methods on prototype template.
     v8::Local<v8::ObjectTemplate> proto = raw_template->PrototypeTemplate();
     proto->Set(v8::String::New("adoptText"),
                v8::FunctionTemplate::New(BreakIteratorAdoptText));
     proto->Set(v8::String::New("first"),
                v8::FunctionTemplate::New(BreakIteratorFirst));
     proto->Set(v8::String::New("next"),
                v8::FunctionTemplate::New(BreakIteratorNext));
     proto->Set(v8::String::New("current"),
                v8::FunctionTemplate::New(BreakIteratorCurrent));
     proto->Set(v8::String::New("breakType"),
                v8::FunctionTemplate::New(BreakIteratorBreakType));
 
     break_iterator_template_ =
         v8::Persistent<v8::FunctionTemplate>::New(raw_template);
   }
 
   // Create an empty object wrapper.
   v8::Local<v8::Object> local_object =
       break_iterator_template_->GetFunction()->NewInstance();
   v8::Persistent<v8::Object> wrapper =
       v8::Persistent<v8::Object>::New(local_object);
 
   // Set break iterator as internal field of the resulting JS object.
   wrapper->SetPointerInInternalField(0, break_iterator);
+  // Make sure that the pointer to adopted text is NULL.
+  wrapper->SetPointerInInternalField(1, NULL);
 
   // Make object handle weak so we can delete iterator once GC kicks in.
   wrapper.MakeWeak(NULL, DeleteBreakIterator);
 
   return wrapper;
 }
 
 } }  // namespace v8::internal