Skip to content
  • haraken@chromium.org's avatar
    Regression(r107058): Use-after-free in SerializedScriptValue::deserialize · 162c7392
    haraken@chromium.org authored
    https://bugs.webkit.org/show_bug.cgi?id=107792
    
    Reviewed by Abhishek Arya.
    
    Source/WebCore:
    
    Imagine the following call path:
    
    (1) history.state is accessed.
    (2) V8History::stateAccessorGetter() calls History::state(), which calls
    HistoryItem::stateObject().
    (3) HistoryItem holds m_stateObject as RefPtr<SerializedScriptValue>,
    but HistoryItem::stateObject() returns SerializedScriptValue*.
    (4) V8History::stateAccessorGetter calls SerializedScriptValue::deserialize()
    for the SerializedScriptValue* obtained in (3).
    (5) SerializedScriptValue::deserialize() can call history.replaceState()
    in its deserialization process (See the test case in the Chromium bug).
    (6) history.replaceState() replaces HistoryItem::m_stateObject.
    This replacement destructs the original HistoryItem::m_stateObject.
    (7) The current deserialization process can crash due to the premature destruction.
    
    To avoid the problem, we have to pass PassRefPtr<SerializedScriptValue> around
    instead of SerializedScriptValue*.
    
    Test: fast/history/replacestate-nocrash.html
    
    * bindings/v8/custom/V8HistoryCustom.cpp:
    (WebCore::V8History::stateAccessorGetter):
    * history/HistoryItem.h:
    (WebCore):
    (WebCore::HistoryItem::stateObject):
    * loader/FrameLoader.cpp:
    (WebCore::FrameLoader::loadInSameDocument):
    * loader/FrameLoader.h:
    * page/History.cpp:
    (WebCore::History::state):
    (WebCore::History::stateInternal):
    * page/History.h:
    (History):
    
    LayoutTests:
    
    Added a test that demonstrated a crash due to use-after-free
    of SerializedScriptValue.
    
    Test: fast/history/replacestate-nocrash.html
    
    * fast/history/replacestate-nocrash-expected.txt: Added.
    * fast/history/replacestate-nocrash.html: Added.
    
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@140748 268f45cc-cd09-0410-ab3c-d52691b4dbfc
    162c7392