Source/core/loader/DocumentLoader.cpp - Issue 1263363005: Better handle reentrancy into DocumentLoader::dataReceived().

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: Source/core/loader/DocumentLoader.cpp

Issue 1263363005: Better handle reentrancy into DocumentLoader::dataReceived(). (Closed) Base URL: svn://svn.chromium.org/blink/trunk

Patch Set: Fix UaF Created 5 years, 4 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: Source/core/loader/DocumentLoader.cpp

diff --git a/Source/core/loader/DocumentLoader.cpp b/Source/core/loader/DocumentLoader.cpp

index 3d45f54c1537d10a453a9d9cf9d9777a88a90169..ff8973abc5c3e7e491144a5ba6d2021dd3837123 100644

--- a/Source/core/loader/DocumentLoader.cpp

+++ b/Source/core/loader/DocumentLoader.cpp

@@ -72,6 +72,7 @@

#include "public/platform/Platform.h"

#include "public/platform/WebMimeRegistry.h"

#include "wtf/Assertions.h"

+#include "wtf/TemporaryChange.h"

#include "wtf/text/WTFString.h"

namespace blink {

@@ -93,6 +94,8 @@ DocumentLoader::DocumentLoader(LocalFrame* frame, const ResourceRequest& req, co

, m_timeOfLastDataReceived(0.0)

, m_applicationCacheHost(ApplicationCacheHost::create(this))

, m_state(NotStarted)

+ , m_inDataReceived(false)

+ , m_dataBuffer(SharedBuffer::create())

{

}

@@ -554,11 +557,41 @@ void DocumentLoader::dataReceived(Resource* resource, const char* data, unsigned

ASSERT(!m_response.isNull());

ASSERT(!mainResourceLoader() || !mainResourceLoader()->defersLoading());

+ if (m_inDataReceived) {

+ // If this function is reentered, defer processing of the additional

+ // data to the top-level invocation. Reentrant calls can occur because

+ // of web platform (mis-)features that require running a nested message

+ // loop:

+ // - alert(), confirm(), prompt()

+ // - Detach of plugin elements.

+ // - Synchronous XMLHTTPRequest

+ m_dataBuffer->append(data, length);

+ return;

+ }

// Both unloading the old page and parsing the new page may execute JavaScript which destroys the datasource

// by starting a new load, so retain temporarily.

RefPtrWillBeRawPtr<LocalFrame> protectFrame(m_frame.get());

RefPtrWillBeRawPtr<DocumentLoader> protectLoader(this);

+ TemporaryChange<bool> reentrancyProtector(m_inDataReceived, true);

+ processData(data, length);

+ // Process data received in reentrant invocations. Note that the

+ // invocations of processData() may queue more data in reentrant

+ // invocations, so iterate until it's empty.

+ const char* segment;

+ unsigned pos = 0;

+ while (unsigned length = m_dataBuffer->getSomeData(segment, pos)) {

+ processData(segment, length);

+ pos += length;

+ }

+ // All data has been consumed, so flush the buffer.

+ m_dataBuffer->clear();

+void DocumentLoader::processData(const char* data, unsigned length)

m_applicationCacheHost->mainResourceDataReceived(data, length);

m_timeOfLastDataReceived = monotonicallyIncreasingTime();

« no previous file with comments | « Source/core/loader/DocumentLoader.h ('k') | Source/web/tests/DocumentLoaderTest.cpp » ('j') | no next file with comments »