diff options
| author | Rubin Xu <rubinxu@google.com> | 2019-09-12 14:10:11 -0700 |
|---|---|---|
| committer | android-build-merger <android-build-merger@google.com> | 2019-09-12 14:10:11 -0700 |
| commit | 7e614a8f7e1ff1ee1107a85687aebfaefec6e8e6 (patch) | |
| tree | 98af40851d2fee29d1750424d7212eef661862a3 | |
| parent | 5595e8050190915f34a3b06981e2ad926054ac1c (diff) | |
| parent | 02e803d005a559fdc46b28e532d8e5bc2412de3f (diff) | |
| download | chromium-libpac-7e614a8f7e1ff1ee1107a85687aebfaefec6e8e6.tar.gz | |
Fix use-after-free in proxy resolver am: 061a73bd2d
am: 02e803d005
Change-Id: I20a942ebc5abbb212f4bb4d607a4637017a99e1e
| -rw-r--r-- | src/proxy_resolver_v8.cc | 3 | ||||
| -rw-r--r-- | test/js-unittest/b_139806216.js | 4 | ||||
| -rw-r--r-- | test/proxy_resolver_v8_unittest.cc | 15 | ||||
| -rw-r--r-- | test/proxy_test_script.h | 7 |
4 files changed, 27 insertions, 2 deletions
diff --git a/src/proxy_resolver_v8.cc b/src/proxy_resolver_v8.cc index 289102e..5884bd1 100644 --- a/src/proxy_resolver_v8.cc +++ b/src/proxy_resolver_v8.cc @@ -767,9 +767,8 @@ int ProxyResolverV8::SetPacScript(const std::u16string& script_data) { v8::V8::SetFlagsFromString(kNoOpt, strlen(kNoOpt)); // Try parsing the PAC script. - ArrayBufferAllocator allocator; v8::Isolate::CreateParams create_params; - create_params.array_buffer_allocator = &allocator; + create_params.array_buffer_allocator = v8::ArrayBuffer::Allocator::NewDefaultAllocator(); context_ = new Context(js_bindings_, error_listener_, v8::Isolate::New(create_params)); int rv; diff --git a/test/js-unittest/b_139806216.js b/test/js-unittest/b_139806216.js new file mode 100644 index 0000000..3a1e34d --- /dev/null +++ b/test/js-unittest/b_139806216.js @@ -0,0 +1,4 @@ +function FindProxyForURL(url, host){ + var x = new ArrayBuffer(1); + return "DIRECT"; +} diff --git a/test/proxy_resolver_v8_unittest.cc b/test/proxy_resolver_v8_unittest.cc index 66b2a23..3f6d20f 100644 --- a/test/proxy_resolver_v8_unittest.cc +++ b/test/proxy_resolver_v8_unittest.cc @@ -643,5 +643,20 @@ TEST(ProxyResolverV8Test, B_132073833) { EXPECT_EQ("DIRECT", proxies[0]); } +TEST(ProxyResolverV8Test, B_139806216) { + ProxyResolverV8WithMockBindings resolver(new MockJSBindings()); + int result = resolver.SetPacScript(SCRIPT(B_139806216_JS)); + EXPECT_EQ(OK, result); + + // Execute FindProxyForURL(). + result = resolver.GetProxyForURL(kQueryUrl, kQueryHost, &kResults); + + EXPECT_EQ(OK, result); + std::vector<std::string> proxies = string16ToProxyList(kResults); + EXPECT_EQ(1U, proxies.size()); + EXPECT_EQ("DIRECT", proxies[0]); +} + + } // namespace } // namespace net diff --git a/test/proxy_test_script.h b/test/proxy_test_script.h index 0d1b77e..500a57a 100644 --- a/test/proxy_test_script.h +++ b/test/proxy_test_script.h @@ -28,6 +28,13 @@ "\n" \ "var object;\n" \ +#define B_139806216_JS \ + u""\ + "function FindProxyForURL(url, host){\n" \ + " var x = new ArrayBuffer(1);\n" \ + " return \"DIRECT\";\n" \ + "}\n" \ + #define BINDING_FROM_GLOBAL_JS \ u""\ "// Calls a bindings outside of FindProxyForURL(). This causes the code to\n" \ |