| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #ifndef CONTENT_BROWSER_INDEXED_DB_INDEXED_DB_DISPATCHER_HOST_H_ | 5 #ifndef CONTENT_BROWSER_INDEXED_DB_INDEXED_DB_DISPATCHER_HOST_H_ |
| 6 #define CONTENT_BROWSER_INDEXED_DB_INDEXED_DB_DISPATCHER_HOST_H_ | 6 #define CONTENT_BROWSER_INDEXED_DB_INDEXED_DB_DISPATCHER_HOST_H_ |
| 7 | 7 |
| 8 #include <map> | 8 #include <map> |
| 9 #include <string> | 9 #include <string> |
| 10 #include <utility> |
| 10 #include <vector> | 11 #include <vector> |
| 11 | 12 |
| 12 #include "base/basictypes.h" | 13 #include "base/basictypes.h" |
| 13 #include "base/id_map.h" | 14 #include "base/id_map.h" |
| 14 #include "base/memory/ref_counted.h" | 15 #include "base/memory/ref_counted.h" |
| 15 #include "content/browser/fileapi/chrome_blob_storage_context.h" | 16 #include "content/browser/fileapi/chrome_blob_storage_context.h" |
| 16 #include "content/public/browser/browser_message_filter.h" | 17 #include "content/public/browser/browser_message_filter.h" |
| 17 #include "net/url_request/url_request_context_getter.h" | 18 #include "net/url_request/url_request_context_getter.h" |
| 18 #include "storage/browser/blob/blob_data_handle.h" | 19 #include "storage/browser/blob/blob_data_handle.h" |
| 19 #include "url/gurl.h" | 20 #include "url/gurl.h" |
| 20 | 21 |
| 21 struct IndexedDBDatabaseMetadata; | 22 struct IndexedDBDatabaseMetadata; |
| 22 struct IndexedDBHostMsg_DatabaseCount_Params; | 23 struct IndexedDBHostMsg_DatabaseCount_Params; |
| 23 struct IndexedDBHostMsg_DatabaseCreateIndex_Params; | 24 struct IndexedDBHostMsg_DatabaseCreateIndex_Params; |
| 24 struct IndexedDBHostMsg_DatabaseCreateObjectStore_Params; | 25 struct IndexedDBHostMsg_DatabaseCreateObjectStore_Params; |
| 25 struct IndexedDBHostMsg_DatabaseCreateTransaction_Params; | 26 struct IndexedDBHostMsg_DatabaseCreateTransaction_Params; |
| 26 struct IndexedDBHostMsg_DatabaseDeleteRange_Params; | 27 struct IndexedDBHostMsg_DatabaseDeleteRange_Params; |
| 27 struct IndexedDBHostMsg_DatabaseGet_Params; | 28 struct IndexedDBHostMsg_DatabaseGet_Params; |
| 28 struct IndexedDBHostMsg_DatabaseOpenCursor_Params; | 29 struct IndexedDBHostMsg_DatabaseOpenCursor_Params; |
| 29 struct IndexedDBHostMsg_DatabasePut_Params; | 30 struct IndexedDBHostMsg_DatabasePut_Params; |
| 30 struct IndexedDBHostMsg_DatabaseSetIndexKeys_Params; | 31 struct IndexedDBHostMsg_DatabaseSetIndexKeys_Params; |
| 31 struct IndexedDBHostMsg_FactoryDeleteDatabase_Params; | 32 struct IndexedDBHostMsg_FactoryDeleteDatabase_Params; |
| 32 struct IndexedDBHostMsg_FactoryGetDatabaseNames_Params; | 33 struct IndexedDBHostMsg_FactoryGetDatabaseNames_Params; |
| 33 struct IndexedDBHostMsg_FactoryOpen_Params; | 34 struct IndexedDBHostMsg_FactoryOpen_Params; |
| 34 | 35 |
| 35 namespace content { | 36 namespace content { |
| 37 class IndexedDBBlobInfo; |
| 36 class IndexedDBConnection; | 38 class IndexedDBConnection; |
| 37 class IndexedDBContextImpl; | 39 class IndexedDBContextImpl; |
| 38 class IndexedDBCursor; | 40 class IndexedDBCursor; |
| 39 class IndexedDBKey; | 41 class IndexedDBKey; |
| 40 class IndexedDBKeyPath; | 42 class IndexedDBKeyPath; |
| 41 class IndexedDBKeyRange; | 43 class IndexedDBKeyRange; |
| 42 struct IndexedDBDatabaseMetadata; | 44 struct IndexedDBDatabaseMetadata; |
| 43 | 45 |
| 44 // Handles all IndexedDB related messages from a particular renderer process. | 46 // Handles all IndexedDB related messages from a particular renderer process. |
| 45 class IndexedDBDispatcherHost : public BrowserMessageFilter { | 47 class IndexedDBDispatcherHost : public BrowserMessageFilter { |
| (...skipping 41 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 87 // These are called to map a 32-bit front-end (renderer-specific) transaction | 89 // These are called to map a 32-bit front-end (renderer-specific) transaction |
| 88 // id to and from a back-end ("host") transaction id that encodes the process | 90 // id to and from a back-end ("host") transaction id that encodes the process |
| 89 // id in the high 32 bits. The mapping is host-specific and ids are validated. | 91 // id in the high 32 bits. The mapping is host-specific and ids are validated. |
| 90 int64 HostTransactionId(int64 transaction_id); | 92 int64 HostTransactionId(int64 transaction_id); |
| 91 int64 RendererTransactionId(int64 host_transaction_id); | 93 int64 RendererTransactionId(int64 host_transaction_id); |
| 92 | 94 |
| 93 // These are called to decode a host transaction ID, for diagnostic purposes. | 95 // These are called to decode a host transaction ID, for diagnostic purposes. |
| 94 static uint32 TransactionIdToRendererTransactionId(int64 host_transaction_id); | 96 static uint32 TransactionIdToRendererTransactionId(int64 host_transaction_id); |
| 95 static uint32 TransactionIdToProcessId(int64 host_transaction_id); | 97 static uint32 TransactionIdToProcessId(int64 host_transaction_id); |
| 96 | 98 |
| 97 void HoldBlobDataHandle(const std::string& uuid, | 99 std::string HoldBlobData(const IndexedDBBlobInfo& blob_info); |
| 98 scoped_ptr<storage::BlobDataHandle> blob_data_handle); | |
| 99 void DropBlobDataHandle(const std::string& uuid); | |
| 100 | 100 |
| 101 private: | 101 private: |
| 102 // Friends to enable OnDestruct() delegation. | 102 // Friends to enable OnDestruct() delegation. |
| 103 friend class BrowserThread; | 103 friend class BrowserThread; |
| 104 friend class base::DeleteHelper<IndexedDBDispatcherHost>; | 104 friend class base::DeleteHelper<IndexedDBDispatcherHost>; |
| 105 | 105 |
| 106 // Used in nested classes. | 106 // Used in nested classes. |
| 107 typedef std::map<std::string, storage::BlobDataHandle*> BlobDataHandleMap; | 107 typedef std::map<std::string, std::pair<storage::BlobDataHandle*, int>> |
| 108 BlobDataHandleMap; |
| 108 typedef std::map<int64, int64> TransactionIDToDatabaseIDMap; | 109 typedef std::map<int64, int64> TransactionIDToDatabaseIDMap; |
| 109 typedef std::map<int64, uint64> TransactionIDToSizeMap; | 110 typedef std::map<int64, uint64> TransactionIDToSizeMap; |
| 110 typedef std::map<int64, GURL> TransactionIDToURLMap; | 111 typedef std::map<int64, GURL> TransactionIDToURLMap; |
| 111 typedef std::map<int32, GURL> WebIDBObjectIDToURLMap; | 112 typedef std::map<int32, GURL> WebIDBObjectIDToURLMap; |
| 112 | 113 |
| 113 // IDMap for RefCounted types | 114 // IDMap for RefCounted types |
| 114 template <typename RefCountedType> | 115 template <typename RefCountedType> |
| 115 class RefIDMap { | 116 class RefIDMap { |
| 116 public: | 117 public: |
| 117 typedef int32 KeyType; | 118 typedef int32 KeyType; |
| (...skipping 136 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 254 void OnIDBFactoryOpen(const IndexedDBHostMsg_FactoryOpen_Params& p); | 255 void OnIDBFactoryOpen(const IndexedDBHostMsg_FactoryOpen_Params& p); |
| 255 | 256 |
| 256 void OnIDBFactoryDeleteDatabase( | 257 void OnIDBFactoryDeleteDatabase( |
| 257 const IndexedDBHostMsg_FactoryDeleteDatabase_Params& p); | 258 const IndexedDBHostMsg_FactoryDeleteDatabase_Params& p); |
| 258 | 259 |
| 259 void OnAckReceivedBlobs(const std::vector<std::string>& uuids); | 260 void OnAckReceivedBlobs(const std::vector<std::string>& uuids); |
| 260 void OnPutHelper(const IndexedDBHostMsg_DatabasePut_Params& params, | 261 void OnPutHelper(const IndexedDBHostMsg_DatabasePut_Params& params, |
| 261 std::vector<storage::BlobDataHandle*> handles); | 262 std::vector<storage::BlobDataHandle*> handles); |
| 262 | 263 |
| 263 void ResetDispatcherHosts(); | 264 void ResetDispatcherHosts(); |
| 265 void DropBlobData(const std::string& uuid); |
| 264 | 266 |
| 265 // The getter holds the context until OnChannelConnected() can be called from | 267 // The getter holds the context until OnChannelConnected() can be called from |
| 266 // the IO thread, which will extract the net::URLRequestContext from it. | 268 // the IO thread, which will extract the net::URLRequestContext from it. |
| 267 scoped_refptr<net::URLRequestContextGetter> request_context_getter_; | 269 scoped_refptr<net::URLRequestContextGetter> request_context_getter_; |
| 268 net::URLRequestContext* request_context_; | 270 net::URLRequestContext* request_context_; |
| 269 scoped_refptr<IndexedDBContextImpl> indexed_db_context_; | 271 scoped_refptr<IndexedDBContextImpl> indexed_db_context_; |
| 270 scoped_refptr<ChromeBlobStorageContext> blob_storage_context_; | 272 scoped_refptr<ChromeBlobStorageContext> blob_storage_context_; |
| 271 | 273 |
| 272 BlobDataHandleMap blob_data_handle_map_; | 274 BlobDataHandleMap blob_data_handle_map_; |
| 273 | 275 |
| 274 // Only access on IndexedDB thread. | 276 // Only access on IndexedDB thread. |
| 275 scoped_ptr<DatabaseDispatcherHost> database_dispatcher_host_; | 277 scoped_ptr<DatabaseDispatcherHost> database_dispatcher_host_; |
| 276 scoped_ptr<CursorDispatcherHost> cursor_dispatcher_host_; | 278 scoped_ptr<CursorDispatcherHost> cursor_dispatcher_host_; |
| 277 | 279 |
| 278 // Used to set file permissions for blob storage. | 280 // Used to set file permissions for blob storage. |
| 279 int ipc_process_id_; | 281 int ipc_process_id_; |
| 280 | 282 |
| 281 DISALLOW_IMPLICIT_CONSTRUCTORS(IndexedDBDispatcherHost); | 283 DISALLOW_IMPLICIT_CONSTRUCTORS(IndexedDBDispatcherHost); |
| 282 }; | 284 }; |
| 283 | 285 |
| 284 } // namespace content | 286 } // namespace content |
| 285 | 287 |
| 286 #endif // CONTENT_BROWSER_INDEXED_DB_INDEXED_DB_DISPATCHER_HOST_H_ | 288 #endif // CONTENT_BROWSER_INDEXED_DB_INDEXED_DB_DISPATCHER_HOST_H_ |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 774593004:
IndexedDB: Fixed cursor/blob use-after-free bug (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master