Title: [127082] trunk
- Revision
- 127082
- Author
- msab...@apple.com
- Date
- 2012-08-29 19:05:15 -0700 (Wed, 29 Aug 2012)
Log Message
use after free in WebCore::FileReader::doAbort
https://bugs.webkit.org/show_bug.cgi?id=91004
Reviewed by Jian Li.
Source/WebCore:
Added check in FileReader::abort to not process the abort if we aren't in the LOADING
state. This is per the FileAPI spec section 8.5.6 step #1.
Tests: fast/files/file-reader-immediate-abort.html
fast/files/file-reader-done-reading-abort.html
* fileapi/FileReader.cpp:
(WebCore::FileReader::abort):
LayoutTests:
New tests to check that FileReader::abort doesn't crash or create events before
or after reading.
* fast/files/file-reader-done-reading-abort-expected.txt: Added.
* fast/files/file-reader-done-reading-abort.html: Added.
* fast/files/file-reader-immediate-abort-expected.txt: Added.
* fast/files/file-reader-immediate-abort.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (127081 => 127082)
--- trunk/LayoutTests/ChangeLog 2012-08-30 02:02:38 UTC (rev 127081)
+++ trunk/LayoutTests/ChangeLog 2012-08-30 02:05:15 UTC (rev 127082)
@@ -1,3 +1,18 @@
+2012-08-29 Michael Saboff <msab...@apple.com>
+
+ use after free in WebCore::FileReader::doAbort
+ https://bugs.webkit.org/show_bug.cgi?id=91004
+
+ Reviewed by Jian Li.
+
+ New tests to check that FileReader::abort doesn't crash or create events before
+ or after reading.
+
+ * fast/files/file-reader-done-reading-abort-expected.txt: Added.
+ * fast/files/file-reader-done-reading-abort.html: Added.
+ * fast/files/file-reader-immediate-abort-expected.txt: Added.
+ * fast/files/file-reader-immediate-abort.html: Added.
+
2012-08-29 Jessie Berlin <jber...@apple.com>
ASSERTION FAILURE in JSC::JSGlobalData::float32ArrayDescriptor when running fast/js/dfg-float64array.html
Added: trunk/LayoutTests/fast/files/file-reader-done-reading-abort-expected.txt (0 => 127082)
--- trunk/LayoutTests/fast/files/file-reader-done-reading-abort-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/files/file-reader-done-reading-abort-expected.txt 2012-08-30 02:05:15 UTC (rev 127082)
@@ -0,0 +1,3 @@
+Test that FileReader.abort after reading is done doesn't fire events.
+DONE
+
Added: trunk/LayoutTests/fast/files/file-reader-done-reading-abort.html (0 => 127082)
--- trunk/LayoutTests/fast/files/file-reader-done-reading-abort.html (rev 0)
+++ trunk/LayoutTests/fast/files/file-reader-done-reading-abort.html 2012-08-30 02:05:15 UTC (rev 127082)
@@ -0,0 +1,67 @@
+<!DOCTYPE html>
+<html>
+<body>
+<pre id='console'></pre>
+<script src=""
+<script>
+function log(message)
+{
+ document.getElementById('console').appendChild(document.createTextNode(message + "\n"));
+}
+
+function runTest()
+{
+ log("Test that FileReader.abort after reading is done doesn't fire events.");
+
+ var text = "Hello";
+ var reader = new FileReader();
+
+ reader._onloadend_ = function(event) {
+ fileString = event.target.result;
+ if (fileString != text)
+ log("Incorrect data read, expected " + text + ", got " + fileString);
+
+ reader._onabort_ = function() {
+ log("Received abort event after reading");
+ };
+ reader._onload_ = function() {
+ log("Received load event after reading");
+ };
+ reader._onloadend_ = function() {
+ log("Received loadend event after reading");
+ };
+ reader._onloadstart_ = function() {
+ log("Received load start event after reading");
+ };
+ reader._onprogress_ = function() {
+ log("Received progress event after reading");
+ };
+
+ reader.abort();
+ gc();
+ finishTest();
+ }
+
+ reader._onerror_ = function(event) {
+ log("Received error event: " + event.target.error.code);
+ };
+
+ reader.readAsText(new Blob([text]));
+}
+
+function finishTest()
+{
+ log("DONE");
+ if (testRunner.notifyDone)
+ testRunner.notifyDone();
+}
+
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.waitUntilDone();
+}
+
+window._onload_ = runTest;
+</script>
+</body>
+</html>
Added: trunk/LayoutTests/fast/files/file-reader-immediate-abort-expected.txt (0 => 127082)
--- trunk/LayoutTests/fast/files/file-reader-immediate-abort-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/files/file-reader-immediate-abort-expected.txt 2012-08-30 02:05:15 UTC (rev 127082)
@@ -0,0 +1,6 @@
+Test that FileReader.abort on newly created FileReader doesn't crash.
+PASSED
+Test that FileReader.abort on newly created FileReader doesn't fire events.
+PASSED
+DONE
+
Added: trunk/LayoutTests/fast/files/file-reader-immediate-abort.html (0 => 127082)
--- trunk/LayoutTests/fast/files/file-reader-immediate-abort.html (rev 0)
+++ trunk/LayoutTests/fast/files/file-reader-immediate-abort.html 2012-08-30 02:05:15 UTC (rev 127082)
@@ -0,0 +1,62 @@
+<!DOCTYPE html>
+<html>
+<body>
+<pre id='console'></pre>
+<script src=""
+<script>
+function log(message)
+{
+ document.getElementById('console').appendChild(document.createTextNode(message + "\n"));
+}
+
+function test1()
+{
+ log("Test that FileReader.abort on newly created FileReader doesn't crash.");
+ new FileReader().abort();
+}
+
+function test2()
+{
+ log("Test that FileReader.abort on newly created FileReader doesn't fire events.");
+
+ var reader = new FileReader();
+ reader._onload_ = function() {
+ log("Received load event");
+ };
+ reader._onloadend_ = function() {
+ log("Received loadend event");
+ };
+ reader._onabort_ = function() {
+ log("Received abort event");
+ };
+ reader._onerror_ = function(event) {
+ log("Received error event: " + event.target.error.code);
+ };
+
+ reader.abort();
+}
+
+function runTests()
+{
+ test1();
+ gc();
+ log("PASSED");
+
+ test2();
+ gc();
+ log("PASSED");
+
+ log("DONE");
+ if (testRunner.notifyDone)
+ testRunner.notifyDone();
+}
+
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.waitUntilDone();
+}
+
+window._onload_ = runTests;
+</script>
+</body>
+</html>
Modified: trunk/Source/WebCore/ChangeLog (127081 => 127082)
--- trunk/Source/WebCore/ChangeLog 2012-08-30 02:02:38 UTC (rev 127081)
+++ trunk/Source/WebCore/ChangeLog 2012-08-30 02:05:15 UTC (rev 127082)
@@ -1,3 +1,19 @@
+2012-08-29 Michael Saboff <msab...@apple.com>
+
+ use after free in WebCore::FileReader::doAbort
+ https://bugs.webkit.org/show_bug.cgi?id=91004
+
+ Reviewed by Jian Li.
+
+ Added check in FileReader::abort to not process the abort if we aren't in the LOADING
+ state. This is per the FileAPI spec section 8.5.6 step #1.
+
+ Tests: fast/files/file-reader-immediate-abort.html
+ fast/files/file-reader-done-reading-abort.html
+
+ * fileapi/FileReader.cpp:
+ (WebCore::FileReader::abort):
+
2012-08-29 Alex Sakhartchouk <ale...@chromium.org>
[chromium] CCLayerTreeHost::finishCommitOnImplThread wrong setter order
Modified: trunk/Source/WebCore/fileapi/FileReader.cpp (127081 => 127082)
--- trunk/Source/WebCore/fileapi/FileReader.cpp 2012-08-30 02:02:38 UTC (rev 127081)
+++ trunk/Source/WebCore/fileapi/FileReader.cpp 2012-08-30 02:05:15 UTC (rev 127082)
@@ -161,7 +161,7 @@
{
LOG(FileAPI, "FileReader: aborting\n");
- if (m_aborting)
+ if (m_aborting || m_state != LOADING)
return;
m_aborting = true;
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo/webkit-changes