| OLD | NEW |
|---|
| 1 // Copyright 2016 the V8 project authors. All rights reserved. | 1 // Copyright 2016 the V8 project authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "src/value-serializer.h" | 5 #include "src/value-serializer.h" |
| 6 | 6 |
| 7 #include <type_traits> | 7 #include <type_traits> |
| 8 | 8 |
| 9 #include "src/base/logging.h" | 9 #include "src/base/logging.h" |
| 10 #include "src/conversions.h" | 10 #include "src/conversions.h" |
| (...skipping 1639 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1650 DCHECK(!object->map()->is_dictionary_map()); | 1650 DCHECK(!object->map()->is_dictionary_map()); |
| 1651 | 1651 |
| 1652 DisallowHeapAllocation no_gc; | 1652 DisallowHeapAllocation no_gc; |
| 1653 DescriptorArray* descriptors = object->map()->instance_descriptors(); | 1653 DescriptorArray* descriptors = object->map()->instance_descriptors(); |
| 1654 for (unsigned i = 0; i < properties.size(); i++) { | 1654 for (unsigned i = 0; i < properties.size(); i++) { |
| 1655 // Initializing store. | 1655 // Initializing store. |
| 1656 object->WriteToField(i, descriptors->GetDetails(i), *properties[i]); | 1656 object->WriteToField(i, descriptors->GetDetails(i), *properties[i]); |
| 1657 } | 1657 } |
| 1658 } | 1658 } |
| 1659 | 1659 |
| 1660 static bool IsValidObjectKey(Handle<Object> value) { |
| 1661 return value->IsName() || value->IsNumber(); |
| 1662 } |
| 1663 |
| 1660 Maybe<uint32_t> ValueDeserializer::ReadJSObjectProperties( | 1664 Maybe<uint32_t> ValueDeserializer::ReadJSObjectProperties( |
| 1661 Handle<JSObject> object, SerializationTag end_tag, | 1665 Handle<JSObject> object, SerializationTag end_tag, |
| 1662 bool can_use_transitions) { | 1666 bool can_use_transitions) { |
| 1663 uint32_t num_properties = 0; | 1667 uint32_t num_properties = 0; |
| 1664 | 1668 |
| 1665 // Fast path (following map transitions). | 1669 // Fast path (following map transitions). |
| 1666 if (can_use_transitions) { | 1670 if (can_use_transitions) { |
| 1667 bool transitioning = true; | 1671 bool transitioning = true; |
| 1668 Handle<Map> map(object->map(), isolate_); | 1672 Handle<Map> map(object->map(), isolate_); |
| 1669 DCHECK(!map->is_dictionary_map()); | 1673 DCHECK(!map->is_dictionary_map()); |
| (...skipping 15 matching lines...) Expand all Loading... |
| 1685 // Determine the key to be used and the target map to transition to, if | 1689 // Determine the key to be used and the target map to transition to, if |
| 1686 // possible. Transitioning may abort if the key is not a string, or if no | 1690 // possible. Transitioning may abort if the key is not a string, or if no |
| 1687 // transition was found. | 1691 // transition was found. |
| 1688 Handle<Object> key; | 1692 Handle<Object> key; |
| 1689 Handle<Map> target; | 1693 Handle<Map> target; |
| 1690 Handle<String> expected_key = TransitionArray::ExpectedTransitionKey(map); | 1694 Handle<String> expected_key = TransitionArray::ExpectedTransitionKey(map); |
| 1691 if (!expected_key.is_null() && ReadExpectedString(expected_key)) { | 1695 if (!expected_key.is_null() && ReadExpectedString(expected_key)) { |
| 1692 key = expected_key; | 1696 key = expected_key; |
| 1693 target = TransitionArray::ExpectedTransitionTarget(map); | 1697 target = TransitionArray::ExpectedTransitionTarget(map); |
| 1694 } else { | 1698 } else { |
| 1695 if (!ReadObject().ToHandle(&key)) return Nothing<uint32_t>(); | 1699 if (!ReadObject().ToHandle(&key) || !IsValidObjectKey(key)) { |
| 1700 return Nothing<uint32_t>(); |
| 1701 } |
| 1696 if (key->IsString()) { | 1702 if (key->IsString()) { |
| 1697 key = | 1703 key = |
| 1698 isolate_->factory()->InternalizeString(Handle<String>::cast(key)); | 1704 isolate_->factory()->InternalizeString(Handle<String>::cast(key)); |
| 1699 target = TransitionArray::FindTransitionToField( | 1705 target = TransitionArray::FindTransitionToField( |
| 1700 map, Handle<String>::cast(key)); | 1706 map, Handle<String>::cast(key)); |
| 1701 transitioning = !target.is_null(); | 1707 transitioning = !target.is_null(); |
| 1702 } else { | 1708 } else { |
| 1703 transitioning = false; | 1709 transitioning = false; |
| 1704 } | 1710 } |
| 1705 } | 1711 } |
| (...skipping 59 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1765 // Slow path. | 1771 // Slow path. |
| 1766 for (;; num_properties++) { | 1772 for (;; num_properties++) { |
| 1767 SerializationTag tag; | 1773 SerializationTag tag; |
| 1768 if (!PeekTag().To(&tag)) return Nothing<uint32_t>(); | 1774 if (!PeekTag().To(&tag)) return Nothing<uint32_t>(); |
| 1769 if (tag == end_tag) { | 1775 if (tag == end_tag) { |
| 1770 ConsumeTag(end_tag); | 1776 ConsumeTag(end_tag); |
| 1771 return Just(num_properties); | 1777 return Just(num_properties); |
| 1772 } | 1778 } |
| 1773 | 1779 |
| 1774 Handle<Object> key; | 1780 Handle<Object> key; |
| 1775 if (!ReadObject().ToHandle(&key)) return Nothing<uint32_t>(); | 1781 if (!ReadObject().ToHandle(&key) || !IsValidObjectKey(key)) { |
| 1782 return Nothing<uint32_t>(); |
| 1783 } |
| 1776 Handle<Object> value; | 1784 Handle<Object> value; |
| 1777 if (!ReadObject().ToHandle(&value)) return Nothing<uint32_t>(); | 1785 if (!ReadObject().ToHandle(&value)) return Nothing<uint32_t>(); |
| 1778 | 1786 |
| 1779 bool success; | 1787 bool success; |
| 1780 LookupIterator it = LookupIterator::PropertyOrElement( | 1788 LookupIterator it = LookupIterator::PropertyOrElement( |
| 1781 isolate_, object, key, &success, LookupIterator::OWN); | 1789 isolate_, object, key, &success, LookupIterator::OWN); |
| 1782 if (!success || | 1790 if (!success || |
| 1783 JSObject::DefineOwnPropertyIgnoreAttributes(&it, value, NONE) | 1791 JSObject::DefineOwnPropertyIgnoreAttributes(&it, value, NONE) |
| 1784 .is_null()) { | 1792 .is_null()) { |
| 1785 return Nothing<uint32_t>(); | 1793 return Nothing<uint32_t>(); |
| (...skipping 28 matching lines...) Expand all Loading... |
| 1814 isolate_->global_handles()->Create(*new_array)); | 1822 isolate_->global_handles()->Create(*new_array)); |
| 1815 } | 1823 } |
| 1816 } | 1824 } |
| 1817 | 1825 |
| 1818 static Maybe<bool> SetPropertiesFromKeyValuePairs(Isolate* isolate, | 1826 static Maybe<bool> SetPropertiesFromKeyValuePairs(Isolate* isolate, |
| 1819 Handle<JSObject> object, | 1827 Handle<JSObject> object, |
| 1820 Handle<Object>* data, | 1828 Handle<Object>* data, |
| 1821 uint32_t num_properties) { | 1829 uint32_t num_properties) { |
| 1822 for (unsigned i = 0; i < 2 * num_properties; i += 2) { | 1830 for (unsigned i = 0; i < 2 * num_properties; i += 2) { |
| 1823 Handle<Object> key = data[i]; | 1831 Handle<Object> key = data[i]; |
| 1832 if (!IsValidObjectKey(key)) return Nothing<bool>(); |
| 1824 Handle<Object> value = data[i + 1]; | 1833 Handle<Object> value = data[i + 1]; |
| 1825 bool success; | 1834 bool success; |
| 1826 LookupIterator it = LookupIterator::PropertyOrElement( | 1835 LookupIterator it = LookupIterator::PropertyOrElement( |
| 1827 isolate, object, key, &success, LookupIterator::OWN); | 1836 isolate, object, key, &success, LookupIterator::OWN); |
| 1828 if (!success || | 1837 if (!success || |
| 1829 JSObject::DefineOwnPropertyIgnoreAttributes(&it, value, NONE) | 1838 JSObject::DefineOwnPropertyIgnoreAttributes(&it, value, NONE) |
| 1830 .is_null()) { | 1839 .is_null()) { |
| 1831 return Nothing<bool>(); | 1840 return Nothing<bool>(); |
| 1832 } | 1841 } |
| 1833 } | 1842 } |
| (...skipping 95 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1929 if (stack.size() != 1) { | 1938 if (stack.size() != 1) { |
| 1930 isolate_->Throw(*isolate_->factory()->NewError( | 1939 isolate_->Throw(*isolate_->factory()->NewError( |
| 1931 MessageTemplate::kDataCloneDeserializationError)); | 1940 MessageTemplate::kDataCloneDeserializationError)); |
| 1932 return MaybeHandle<Object>(); | 1941 return MaybeHandle<Object>(); |
| 1933 } | 1942 } |
| 1934 return scope.CloseAndEscape(stack[0]); | 1943 return scope.CloseAndEscape(stack[0]); |
| 1935 } | 1944 } |
| 1936 | 1945 |
| 1937 } // namespace internal | 1946 } // namespace internal |
| 1938 } // namespace v8 | 1947 } // namespace v8 |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2697023002:
ValueDeserializer: Only allow valid keys when deserializing object properties. (Closed)
