third_party/WebKit/Source/bindings/modules/v8/V8BindingForModules.cpp - Issue 1414553002: Fix out-of-memory crashes related to ArrayBuffer allocation

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: third_party/WebKit/Source/bindings/modules/v8/V8BindingForModules.cpp

Issue 1414553002: Fix out-of-memory crashes related to ArrayBuffer allocation Base URL: https://chromium.googlesource.com/chromium/src.git@master

Patch Set: rebase and applied senorblanco+haraken feedbac Created 5 years, 2 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

« third_party/WebKit/Source/bindings/core/v8/V8Initializer.cpp ('K') | « third_party/WebKit/Source/bindings/core/v8/V8Initializer.cpp ('k') | third_party/WebKit/Source/bindings/templates/interface.cpp » ('j') | third_party/WebKit/Source/modules/crypto/CryptoResultImpl.cpp » ('J')
Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

Index: third_party/WebKit/Source/bindings/modules/v8/V8BindingForModules.cpp

diff --git a/third_party/WebKit/Source/bindings/modules/v8/V8BindingForModules.cpp b/third_party/WebKit/Source/bindings/modules/v8/V8BindingForModules.cpp

index aa8877c95d1639df5c10f447eaa832765ef66e77..749e8c768f2b8d1d1f571575c9247a02319fb72a 100644

--- a/third_party/WebKit/Source/bindings/modules/v8/V8BindingForModules.cpp

+++ b/third_party/WebKit/Source/bindings/modules/v8/V8BindingForModules.cpp

@@ -96,9 +96,17 @@ v8::Local<v8::Value> toV8(const IDBKey* key, v8::Local<v8::Object> creationConte

case IDBKey::StringType:

return v8String(isolate, key->string());

case IDBKey::BinaryType:

- // Experimental feature: binary keys

- // https://w3c.github.io/IndexedDB/#steps-to-convert-a-key-to-a-value

- return toV8(DOMArrayBuffer::create(reinterpret_cast<const unsigned char*>(key->binary()->data()), key->binary()->size()), creationContext, isolate);

+ {

+ // Experimental feature: binary keys

+ // https://w3c.github.io/IndexedDB/#steps-to-convert-a-key-to-a-value

+ // TODO(junov): crbug.com/536816 Find a more graceful way to handle allocation

+ // failures with createOrNull. It would be possible to throw a RangeError

+ // from here but the consequences of such a change need to be considered

+ // carefully.

+ RefPtr<DOMArrayBuffer> buffer = DOMArrayBuffer::deprecatedCreateOrCrash(reinterpret_cast<const unsigned char*>(key->binary()->data()), key->binary()->size());

+ return toV8(buffer, creationContext, isolate);

+ }

case IDBKey::DateType:

return v8::Date::New(context, key->date()).ToLocalChecked();

case IDBKey::ArrayType:

@@ -185,7 +193,9 @@ static IDBKey* createIDBKeyFromValue(v8::Isolate* isolate, v8::Local<v8::Value>

}

if (value->IsArrayBufferView()) {

DOMArrayBufferView* view = V8ArrayBufferView::toImpl(value.As<v8::Object>());

- if (view->buffer()->isNeutered()) {

+ RefPtr<DOMArrayBuffer> buffer = view->bufferOrNull();

+ RELEASE_ASSERT(buffer); // This is essentially an out-of-memory crash (crbug.com/536816)

+ if (buffer->isNeutered()) {

exceptionState.throwTypeError("The viewed ArrayBuffer is neutered.");

return nullptr;

}