Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(3462)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: content/renderer/pepper/v8_var_converter.cc

Issue 566463002: Ensure that v8 arrays are always converted to object vars when allowed. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Created 6 years, 3 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « no previous file | no next file » | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: content/renderer/pepper/v8_var_converter.cc
diff --git a/content/renderer/pepper/v8_var_converter.cc b/content/renderer/pepper/v8_var_converter.cc
index f36f8cf5759e3b447e1c06274ebd48ad598ec1a9..3c3503046a9ab3dbc2dfba51a9fcfbd7e2add162 100644
--- a/content/renderer/pepper/v8_var_converter.cc
+++ b/content/renderer/pepper/v8_var_converter.cc
@@ -155,7 +155,15 @@ bool GetOrCreateV8Value(v8::Handle<v8::Context> context,
*result = v8::Object::New(isolate);
break;
case PP_VARTYPE_OBJECT: {
- DCHECK(object_vars_allowed == V8VarConverter::kAllowObjectVars);
+ // If object vars are disallowed, we should never be passed an object var
+ // to convert. Also, we should never expect to convert an object var which
+ // is nested inside an array or dictionary.
+ if (object_vars_allowed == V8VarConverter::kDisallowObjectVars ||
+ visited_ids->size() != 0) {
+ NOTREACHED();
+ result->Clear();
+ return false;
+ }
scoped_refptr<V8ObjectVar> v8_object_var = V8ObjectVar::FromPPVar(var);
if (!v8_object_var.get()) {
NOTREACHED();
@@ -225,9 +233,15 @@ bool GetOrCreateVar(v8::Handle<v8::Value> val,
} else if (val->IsString() || val->IsStringObject()) {
v8::String::Utf8Value utf8(val->ToString());
*result = StringVar::StringToPPVar(std::string(*utf8, utf8.length()));
- } else if (val->IsArray()) {
- *result = (new ArrayVar())->GetPPVar();
} else if (val->IsObject()) {
+ // For any other v8 objects, the conversion happens as follows:
+ // 1) If the object is an array buffer, return an ArrayBufferVar.
+ // 2) If object vars are allowed, return the object wrapped as a
+ // V8ObjectVar. This is to maintain backward compatibility with
+ // synchronous scripting in Flash.
+ // 3) If the object is an array, return an ArrayVar.
+ // 4) If the object can be converted to a resource, return the ResourceVar.
+ // 5) Otherwise return a DictionaryVar.
scoped_ptr<blink::WebArrayBuffer> web_array_buffer(
blink::WebArrayBufferConverter::createFromV8Value(val, isolate));
if (web_array_buffer.get()) {
@@ -238,6 +252,8 @@ bool GetOrCreateVar(v8::Handle<v8::Value> val,
v8::Handle<v8::Object> object = val->ToObject();
*result = content::HostGlobals::Get()->
host_var_tracker()->V8ObjectVarForV8Object(instance, object);
+ } else if (val->IsArray()) {
+ *result = (new ArrayVar())->GetPPVar();
} else {
bool was_resource;
if (!resource_converter->FromV8Value(
« no previous file with comments | « no previous file | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698