Chromium Code Reviews Chromium Code Reviews
Issue 774593004:
IndexedDB: Fixed cursor/blob use-after-free bug (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "content/browser/indexed_db/indexed_db_callbacks.h" | 5 #include "content/browser/indexed_db/indexed_db_callbacks.h" |
| 6 | 6 |
| 7 #include <algorithm> | 7 #include <algorithm> |
| 8 | 8 |
| 9 #include "base/guid.h" | 9 #include "base/guid.h" |
| 10 #include "base/metrics/histogram.h" | 10 #include "base/metrics/histogram.h" |
| (...skipping 210 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 221 } | 221 } |
| 222 | 222 |
| 223 static std::string CreateBlobData( | 223 static std::string CreateBlobData( |
| 224 const IndexedDBBlobInfo& blob_info, | 224 const IndexedDBBlobInfo& blob_info, |
| 225 scoped_refptr<IndexedDBDispatcherHost> dispatcher_host, | 225 scoped_refptr<IndexedDBDispatcherHost> dispatcher_host, |
| 226 storage::BlobStorageContext* blob_storage_context, | 226 storage::BlobStorageContext* blob_storage_context, |
| 227 base::TaskRunner* task_runner) { | 227 base::TaskRunner* task_runner) { |
| 228 std::string uuid = blob_info.uuid(); | 228 std::string uuid = blob_info.uuid(); |
| 229 if (!uuid.empty()) { | 229 if (!uuid.empty()) { |
| 230 // We're sending back a live blob, not a reference into our backing store. | 230 // We're sending back a live blob, not a reference into our backing store. |
| 231 scoped_ptr<storage::BlobDataHandle> blob_data_handle( | 231 if (!dispatcher_host->IncrementBlobDataIfHeld(uuid)) { |
|
jsbell
2014/12/04 00:18:16
Can we just make the HoldBlobDataHandle API take t
cmumford
2014/12/04 18:00:29
Done.
| |
| 232 blob_storage_context->GetBlobDataFromUUID(uuid)); | 232 scoped_ptr<storage::BlobDataHandle> blob_data_handle( |
| 233 dispatcher_host->HoldBlobDataHandle(uuid, blob_data_handle.Pass()); | 233 blob_storage_context->GetBlobDataFromUUID(uuid)); |
| 234 dispatcher_host->HoldBlobDataHandle(uuid, blob_data_handle.Pass()); | |
| 235 } | |
| 234 return uuid; | 236 return uuid; |
| 235 } | 237 } |
| 236 scoped_refptr<ShareableFileReference> shareable_file = | 238 scoped_refptr<ShareableFileReference> shareable_file = |
| 237 ShareableFileReference::Get(blob_info.file_path()); | 239 ShareableFileReference::Get(blob_info.file_path()); |
| 238 if (!shareable_file.get()) { | 240 if (!shareable_file.get()) { |
| 239 shareable_file = ShareableFileReference::GetOrCreate( | 241 shareable_file = ShareableFileReference::GetOrCreate( |
| 240 blob_info.file_path(), | 242 blob_info.file_path(), |
| 241 ShareableFileReference::DONT_DELETE_ON_FINAL_RELEASE, | 243 ShareableFileReference::DONT_DELETE_ON_FINAL_RELEASE, |
| 242 task_runner); | 244 task_runner); |
| 243 if (!blob_info.release_callback().is_null()) | 245 if (!blob_info.release_callback().is_null()) |
| 244 shareable_file->AddFinalReleaseCallback(blob_info.release_callback()); | 246 shareable_file->AddFinalReleaseCallback(blob_info.release_callback()); |
| 245 } | 247 } |
| 246 | 248 |
| 247 uuid = base::GenerateGUID(); | 249 uuid = base::GenerateGUID(); |
| 248 scoped_refptr<storage::BlobData> blob_data = new storage::BlobData(uuid); | 250 scoped_refptr<storage::BlobData> blob_data = new storage::BlobData(uuid); |
| 249 blob_data->set_content_type(base::UTF16ToUTF8(blob_info.type())); | 251 blob_data->set_content_type(base::UTF16ToUTF8(blob_info.type())); |
| 250 blob_data->AppendFile( | 252 blob_data->AppendFile( |
| 251 blob_info.file_path(), 0, blob_info.size(), blob_info.last_modified()); | 253 blob_info.file_path(), 0, blob_info.size(), blob_info.last_modified()); |
| 252 scoped_ptr<storage::BlobDataHandle> blob_data_handle( | 254 scoped_ptr<storage::BlobDataHandle> blob_data_handle( |
|
jsbell
2014/12/04 00:18:16
Similarly, this BlobDataHandle is dropped if there
cmumford
2014/12/04 18:00:29
Done.
| |
| 253 blob_storage_context->AddFinishedBlob(blob_data.get())); | 255 blob_storage_context->AddFinishedBlob(blob_data.get())); |
| 254 dispatcher_host->HoldBlobDataHandle(uuid, blob_data_handle.Pass()); | 256 dispatcher_host->HoldBlobDataHandle(uuid, blob_data_handle.Pass()); |
| 255 | 257 |
| 256 return uuid; | 258 return uuid; |
| 257 } | 259 } |
| 258 | 260 |
| 259 static bool CreateAllBlobs( | 261 static bool CreateAllBlobs( |
| 260 const std::vector<IndexedDBBlobInfo>& blob_info, | 262 const std::vector<IndexedDBBlobInfo>& blob_info, |
| 261 std::vector<IndexedDBMsg_BlobOrFileInfo>* blob_or_file_info, | 263 std::vector<IndexedDBMsg_BlobOrFileInfo>* blob_or_file_info, |
| 262 scoped_refptr<IndexedDBDispatcherHost> dispatcher_host) { | 264 scoped_refptr<IndexedDBDispatcherHost> dispatcher_host) { |
| (...skipping 338 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 601 ipc_thread_id_, ipc_callbacks_id_)); | 603 ipc_thread_id_, ipc_callbacks_id_)); |
| 602 dispatcher_host_ = NULL; | 604 dispatcher_host_ = NULL; |
| 603 } | 605 } |
| 604 | 606 |
| 605 void IndexedDBCallbacks::SetConnectionOpenStartTime( | 607 void IndexedDBCallbacks::SetConnectionOpenStartTime( |
| 606 const base::TimeTicks& start_time) { | 608 const base::TimeTicks& start_time) { |
| 607 connection_open_start_time_ = start_time; | 609 connection_open_start_time_ = start_time; |
| 608 } | 610 } |
| 609 | 611 |
| 610 } // namespace content | 612 } // namespace content |
| OLD | NEW |
