Chromium Code Reviews Chromium Code Reviews
Issue 2871143002:
BodyStreamBuffer: Avoid calling into V8 during construction (Closed)
| Index: third_party/WebKit/Source/modules/fetch/Response.cpp |
| diff --git a/third_party/WebKit/Source/modules/fetch/Response.cpp b/third_party/WebKit/Source/modules/fetch/Response.cpp |
| index 03b9ee8be37549951dfedceb5be126a866a7e679..feeee6d1a678761bf68f8a76f55ef6a3d8e8f4cc 100644 |
| --- a/third_party/WebKit/Source/modules/fetch/Response.cpp |
| +++ b/third_party/WebKit/Source/modules/fetch/Response.cpp |
| @@ -148,13 +148,18 @@ Response* Response::Create(ScriptState* script_state, |
| new BlobBytesConsumer(execution_context, blob->GetBlobDataHandle())); |
| content_type = blob->type(); |
| } else if (body->IsArrayBuffer()) { |
| - body_buffer = new BodyStreamBuffer( |
| - script_state, new FormDataBytesConsumer( |
| - V8ArrayBuffer::toImpl(body.As<v8::Object>()))); |
|
haraken
2017/05/10 09:05:16
Isn't it guaranteed that V8ArrayBuffer::toImpl(bod
Michael Lippautz
2017/05/10 10:51:25
My C++ foo is not strong enough to answer this by
|
| + // Avoid calling into V8 from the following constructor parameters, which |
| + // is potentially unsafe. |
| + DOMArrayBuffer* array_buffer = V8ArrayBuffer::toImpl(body.As<v8::Object>()); |
| + body_buffer = new BodyStreamBuffer(script_state, |
| + new FormDataBytesConsumer(array_buffer)); |
| } else if (body->IsArrayBufferView()) { |
| + // Avoid calling into V8 from the following constructor parameters, which |
| + // is potentially unsafe. |
| + DOMArrayBufferView* array_buffer_view = |
| + V8ArrayBufferView::toImpl(body.As<v8::Object>()); |
| body_buffer = new BodyStreamBuffer( |
| - script_state, new FormDataBytesConsumer( |
| - V8ArrayBufferView::toImpl(body.As<v8::Object>()))); |
| + script_state, new FormDataBytesConsumer(array_buffer_view)); |
| } else if (V8FormData::hasInstance(body, isolate)) { |
| RefPtr<EncodedFormData> form_data = |
| V8FormData::toImpl(body.As<v8::Object>())->EncodeMultiPartFormData(); |
