Support ImageData cloning in the V8-based structured clone path.

third_party/WebKit/Source/bindings/core/v8/serialization/V8ScriptValueDeserializer.cpp

Index: third_party/WebKit/Source/bindings/core/v8/serialization/V8ScriptValueDeserializer.cpp
diff --git a/third_party/WebKit/Source/bindings/core/v8/serialization/V8ScriptValueDeserializer.cpp b/third_party/WebKit/Source/bindings/core/v8/serialization/V8ScriptValueDeserializer.cpp
index c63f2b14bc9c5e383c98fa1fbd630c727e0131a3..5073a2f68e2ecd23966fe3bac01db873d7ed4886 100644
--- a/third_party/WebKit/Source/bindings/core/v8/serialization/V8ScriptValueDeserializer.cpp
+++ b/third_party/WebKit/Source/bindings/core/v8/serialization/V8ScriptValueDeserializer.cpp
@@ -7,6 +7,7 @@
 #include "bindings/core/v8/ToV8.h"
 #include "core/dom/DOMArrayBuffer.h"
 #include "core/dom/DOMSharedArrayBuffer.h"
+#include "core/html/ImageData.h"
 #include "platform/RuntimeEnabledFeatures.h"
 
 namespace blink {
@@ -19,7 +20,8 @@ V8ScriptValueDeserializer::V8ScriptValueDeserializer(RefPtr<ScriptState> scriptS
         reinterpret_cast<const uint8_t*>(
             m_serializedScriptValue->data().ensure16Bit(),
             m_serializedScriptValue->data().characters16()),
-        m_serializedScriptValue->data().length() * 2)
+        m_serializedScriptValue->data().length() * 2,
+        this)
 {
     DCHECK(RuntimeEnabledFeatures::v8BasedStructuredCloneEnabled());
     m_deserializer.SetSupportsLegacyWireFormat(true);
@@ -78,4 +80,46 @@ void V8ScriptValueDeserializer::transfer()
     }
 }
 
+ScriptWrappable* V8ScriptValueDeserializer::readDOMObject(SerializationTag tag)
+{
+    switch (tag) {
+    case ImageDataTag: {
+        uint32_t width = 0, height = 0, pixelLength = 0;
+        const void* pixels = nullptr;
+        if (!readUint32(&width)
+            || !readUint32(&height)
+            || !readUint32(&pixelLength)
+            || !readRawBytes(pixelLength, &pixels))
+            return nullptr;
+        ImageData* imageData = ImageData::create(IntSize(width, height));
+        DOMUint8ClampedArray* pixelArray = imageData->data();
+        if (pixelArray->length() < pixelLength)

[haraken, 2016/09/16 14:17:53]

When can this happen?

[jbroman, 2016/09/16 14:34:33]

It should never be produced by V8ScriptValueSerializer, but it could happen if
data is corrupted on disk, or a malicious renderer is trying to cause invalid
memory access by sending a corrupt message to another renderer.

+            return nullptr;
+        memcpy(pixelArray->data(), pixels, pixelLength);
+        return imageData;
+    }
+    default:
+        break;
+    }
+    return nullptr;
+}
+
+v8::MaybeLocal<v8::Object> V8ScriptValueDeserializer::ReadHostObject(v8::Isolate* isolate)
+{
+    DCHECK_EQ(isolate, m_scriptState->isolate());
+    ExceptionState exceptionState(isolate, ExceptionState::UnknownContext, nullptr, nullptr);
+    ScriptWrappable* wrappable = nullptr;
+    SerializationTag tag = PaddingTag;
+    if (readTag(&tag))
+        wrappable = readDOMObject(tag);

[haraken, 2016/09/16 14:17:53]

Maybe can we move readTag() into readDOMObject()?

[jbroman, 2016/09/16 14:34:33]

readDOMObject will be a virtual method which is overridden for modules (which
will call its superclass method to deal with core objects). However, the tag
should only be read once, so both implementations cannot read it.

+    if (!wrappable) {
+        exceptionState.throwDOMException(DataCloneError, "Unable to deserialize cloned data.");
+        return v8::MaybeLocal<v8::Object>();
+    }
+    v8::Local<v8::Object> creationContext = m_scriptState->context()->Global();
+    v8::Local<v8::Value> wrapper = toV8(wrappable, creationContext, isolate);
+    DCHECK(wrapper->IsObject());
+    return wrapper.As<v8::Object>();
+}
+
 } // namespace blink