| Index: third_party/WebKit/Source/bindings/core/v8/ScriptStreamer.cpp
|
| diff --git a/third_party/WebKit/Source/bindings/core/v8/ScriptStreamer.cpp b/third_party/WebKit/Source/bindings/core/v8/ScriptStreamer.cpp
|
| index 512fa575b9ed32ca913e1b38b3b52ddb8a369fc3..0e8ee86fdc3f6a8792ab2ac7711cc7907f0f447d 100644
|
| --- a/third_party/WebKit/Source/bindings/core/v8/ScriptStreamer.cpp
|
| +++ b/third_party/WebKit/Source/bindings/core/v8/ScriptStreamer.cpp
|
| @@ -310,45 +310,54 @@ private:
|
| ASSERT(isMainThread());
|
| MutexLocker locker(m_mutex); // For m_cancelled + m_queueTailPosition.
|
|
|
| - // Get as much data from the ResourceBuffer as we can.
|
| - const char* data = 0;
|
| - Vector<const char*> chunks;
|
| - Vector<size_t> chunkLengths;
|
| - size_t dataLength = 0;
|
| -
|
| - if (!m_cancelled) {
|
| - while (size_t length = m_resourceBuffer->getSomeData(data, m_queueTailPosition)) {
|
| - // FIXME: Here we can limit based on the total length, if it turns
|
| - // out that we don't want to give all the data we have (memory
|
| - // vs. speed).
|
| - chunks.append(data);
|
| - chunkLengths.append(length);
|
| - dataLength += length;
|
| - m_queueTailPosition += length;
|
| - }
|
| - }
|
| -
|
| if (lengthOfBOM > 0) {
|
| ASSERT(!m_lengthOfBOM); // There should be only one BOM.
|
| m_lengthOfBOM = lengthOfBOM;
|
| }
|
|
|
| + if (m_cancelled) {
|
| + m_dataQueue.finish();
|
| + return;
|
| + }
|
| +
|
| + // Get as much data from the ResourceBuffer as we can.
|
| + const char* data = nullptr;
|
| + Vector<const char*> chunks;
|
| + Vector<size_t> chunkLengths;
|
| + size_t bufferLength = 0;
|
| + while (size_t length = m_resourceBuffer->getSomeData(data, m_queueTailPosition)) {
|
| + // FIXME: Here we can limit based on the total length, if it turns
|
| + // out that we don't want to give all the data we have (memory
|
| + // vs. speed).
|
| + chunks.append(data);
|
| + chunkLengths.append(length);
|
| + bufferLength += length;
|
| + m_queueTailPosition += length;
|
| + }
|
| +
|
| // Copy the data chunks into a new buffer, since we're going to give the
|
| // data to a background thread.
|
| - if (dataLength > lengthOfBOM) {
|
| - dataLength -= lengthOfBOM;
|
| - uint8_t* copiedData = new uint8_t[dataLength];
|
| + if (bufferLength > lengthOfBOM) {
|
| + size_t totalLength = bufferLength - lengthOfBOM;
|
| + uint8_t* copiedData = new uint8_t[totalLength];
|
| size_t offset = 0;
|
| + size_t offsetInChunk = lengthOfBOM;
|
| for (size_t i = 0; i < chunks.size(); ++i) {
|
| - memcpy(copiedData + offset, chunks[i] + lengthOfBOM, chunkLengths[i] - lengthOfBOM);
|
| - offset += chunkLengths[i] - lengthOfBOM;
|
| - // BOM is only in the first chunk
|
| - lengthOfBOM = 0;
|
| + if (offsetInChunk >= chunkLengths[i]) {
|
| + offsetInChunk -= chunkLengths[i];
|
| + continue;
|
| + }
|
| +
|
| + size_t dataLength = chunkLengths[i] - offsetInChunk;
|
| + memcpy(copiedData + offset, chunks[i] + offsetInChunk, dataLength);
|
| + offset += dataLength;
|
| + // BOM is in the beginning of the buffer.
|
| + offsetInChunk = 0;
|
| }
|
| - m_dataQueue.produce(copiedData, dataLength);
|
| + m_dataQueue.produce(copiedData, totalLength);
|
| }
|
|
|
| - if (m_finished || m_cancelled)
|
| + if (m_finished)
|
| m_dataQueue.finish();
|
| }
|
|
|
|
|
Chromium Code Reviews
Issue 2252653002:
Avoid accessing out of range in ScriptStreamer (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master