diff options
| author | Rubin Xu <rubinxu@google.com> | 2019-09-13 02:58:52 -0700 |
|---|---|---|
| committer | android-build-merger <android-build-merger@google.com> | 2019-09-13 02:58:52 -0700 |
| commit | e15fe22832b73d77b93b7eb914a250b5663f05c2 (patch) | |
| tree | 4ef236d4103cf2993efc9ec1ca6fcf44c0dd85ff | |
| parent | b178a2136df99b9ef50ec002d08b03fbb5162115 (diff) | |
| parent | cfac906e4e92f35934ee9b02de104e5f976a8042 (diff) | |
| download | chromium-libpac-e15fe22832b73d77b93b7eb914a250b5663f05c2.tar.gz | |
[automerger] Fix use-after-free in proxy resolver am: ed9838b89e am: cdc21af3ac am: 44ef83511e am: 46b849f363
am: cfac906e4e
Change-Id: I795840c6d3781015501785f72fbf1e711da8ef41
| -rw-r--r-- | src/proxy_resolver_v8.cc | 3 | ||||
| -rw-r--r-- | test/js-unittest/b_139806216.js | 4 | ||||
| -rw-r--r-- | test/proxy_resolver_v8_unittest.cc | 15 | ||||
| -rw-r--r-- | test/proxy_test_script.h | 6 |
4 files changed, 26 insertions, 2 deletions
diff --git a/src/proxy_resolver_v8.cc b/src/proxy_resolver_v8.cc index 0504b03..5d8b776 100644 --- a/src/proxy_resolver_v8.cc +++ b/src/proxy_resolver_v8.cc @@ -767,9 +767,8 @@ int ProxyResolverV8::SetPacScript(const android::String16& script_data) { v8::V8::SetFlagsFromString(kNoOpt, strlen(kNoOpt)); // Try parsing the PAC script. - ArrayBufferAllocator allocator; v8::Isolate::CreateParams create_params; - create_params.array_buffer_allocator = &allocator; + create_params.array_buffer_allocator = v8::ArrayBuffer::Allocator::NewDefaultAllocator(); context_ = new Context(js_bindings_, error_listener_, v8::Isolate::New(create_params)); int rv; diff --git a/test/js-unittest/b_139806216.js b/test/js-unittest/b_139806216.js new file mode 100644 index 0000000..3a1e34d --- /dev/null +++ b/test/js-unittest/b_139806216.js @@ -0,0 +1,4 @@ +function FindProxyForURL(url, host){ + var x = new ArrayBuffer(1); + return "DIRECT"; +} diff --git a/test/proxy_resolver_v8_unittest.cc b/test/proxy_resolver_v8_unittest.cc index 73e4405..fa11f73 100644 --- a/test/proxy_resolver_v8_unittest.cc +++ b/test/proxy_resolver_v8_unittest.cc @@ -572,5 +572,20 @@ TEST(ProxyResolverV8Test, B_132073833) { EXPECT_EQ("DIRECT", proxies[0]); } +TEST(ProxyResolverV8Test, B_139806216) { + ProxyResolverV8WithMockBindings resolver(new MockJSBindings()); + int result = resolver.SetPacScript(String16(B_139806216_JS)); + EXPECT_EQ(OK, result); + + // Execute FindProxyForURL(). + result = resolver.GetProxyForURL(kQueryUrl, kQueryHost, &kResults); + + EXPECT_EQ(OK, result); + std::vector<std::string> proxies = string16ToProxyList(kResults); + EXPECT_EQ(1U, proxies.size()); + EXPECT_EQ("DIRECT", proxies[0]); +} + + } // namespace } // namespace net diff --git a/test/proxy_test_script.h b/test/proxy_test_script.h index aa10016..bb8502c 100644 --- a/test/proxy_test_script.h +++ b/test/proxy_test_script.h @@ -27,6 +27,12 @@ "\n" \ "var object;\n" \ +#define B_139806216_JS \ + "function FindProxyForURL(url, host){\n" \ + " var x = new ArrayBuffer(1);\n" \ + " return \"DIRECT\";\n" \ + "}\n" \ + #define BINDING_FROM_GLOBAL_JS \ "// Calls a bindings outside of FindProxyForURL(). This causes the code to\n" \ "// get exercised during initialization.\n" \ |