diff options
author | Rubin Xu <rubinxu@google.com> | 2019-09-10 16:17:42 +0100 |
---|---|---|
committer | Max Spector <mspector@google.com> | 2019-09-18 17:14:02 -0700 |
commit | c4688193a908e513b873a9f65f1bede27776264e (patch) | |
tree | 4ef236d4103cf2993efc9ec1ca6fcf44c0dd85ff | |
parent | 0ead090f30754c0691f191ea79d398cddf9caa22 (diff) | |
download | chromium-libpac-android-8.0.0_r43.tar.gz |
Fix use-after-free in proxy resolverandroid-8.0.0_r47android-8.0.0_r46android-8.0.0_r45android-8.0.0_r44android-8.0.0_r43android-8.0.0_r42android-8.0.0_r41android-8.0.0_r40security-oc-release
Bug: 139806216
Test: m -j proxy_resolver_v8_unittest && adb sync && adb shell \
/data/nativetest64/proxy_resolver_v8_unittest/proxy_resolver_v8_unittest
Change-Id: I663829a8a7467f50f9b11fd8b787108ff5d64acc
Merged-In: I663829a8a7467f50f9b11fd8b787108ff5d64acc
(cherry picked from commit ed9838b89ee2c43a5240f411d9c77558b4b34966)
-rw-r--r-- | src/proxy_resolver_v8.cc | 3 | ||||
-rw-r--r-- | test/js-unittest/b_139806216.js | 4 | ||||
-rw-r--r-- | test/proxy_resolver_v8_unittest.cc | 15 | ||||
-rw-r--r-- | test/proxy_test_script.h | 6 |
4 files changed, 26 insertions, 2 deletions
diff --git a/src/proxy_resolver_v8.cc b/src/proxy_resolver_v8.cc index 0504b03..5d8b776 100644 --- a/src/proxy_resolver_v8.cc +++ b/src/proxy_resolver_v8.cc @@ -767,9 +767,8 @@ int ProxyResolverV8::SetPacScript(const android::String16& script_data) { v8::V8::SetFlagsFromString(kNoOpt, strlen(kNoOpt)); // Try parsing the PAC script. - ArrayBufferAllocator allocator; v8::Isolate::CreateParams create_params; - create_params.array_buffer_allocator = &allocator; + create_params.array_buffer_allocator = v8::ArrayBuffer::Allocator::NewDefaultAllocator(); context_ = new Context(js_bindings_, error_listener_, v8::Isolate::New(create_params)); int rv; diff --git a/test/js-unittest/b_139806216.js b/test/js-unittest/b_139806216.js new file mode 100644 index 0000000..3a1e34d --- /dev/null +++ b/test/js-unittest/b_139806216.js @@ -0,0 +1,4 @@ +function FindProxyForURL(url, host){ + var x = new ArrayBuffer(1); + return "DIRECT"; +} diff --git a/test/proxy_resolver_v8_unittest.cc b/test/proxy_resolver_v8_unittest.cc index 73e4405..fa11f73 100644 --- a/test/proxy_resolver_v8_unittest.cc +++ b/test/proxy_resolver_v8_unittest.cc @@ -572,5 +572,20 @@ TEST(ProxyResolverV8Test, B_132073833) { EXPECT_EQ("DIRECT", proxies[0]); } +TEST(ProxyResolverV8Test, B_139806216) { + ProxyResolverV8WithMockBindings resolver(new MockJSBindings()); + int result = resolver.SetPacScript(String16(B_139806216_JS)); + EXPECT_EQ(OK, result); + + // Execute FindProxyForURL(). + result = resolver.GetProxyForURL(kQueryUrl, kQueryHost, &kResults); + + EXPECT_EQ(OK, result); + std::vector<std::string> proxies = string16ToProxyList(kResults); + EXPECT_EQ(1U, proxies.size()); + EXPECT_EQ("DIRECT", proxies[0]); +} + + } // namespace } // namespace net diff --git a/test/proxy_test_script.h b/test/proxy_test_script.h index aa10016..bb8502c 100644 --- a/test/proxy_test_script.h +++ b/test/proxy_test_script.h @@ -27,6 +27,12 @@ "\n" \ "var object;\n" \ +#define B_139806216_JS \ + "function FindProxyForURL(url, host){\n" \ + " var x = new ArrayBuffer(1);\n" \ + " return \"DIRECT\";\n" \ + "}\n" \ + #define BINDING_FROM_GLOBAL_JS \ "// Calls a bindings outside of FindProxyForURL(). This causes the code to\n" \ "// get exercised during initialization.\n" \ |