diff options
| author | Android Build Merger (Role) <noreply-android-build-merger@google.com> | 2019-09-11 15:10:08 +0000 |
|---|---|---|
| committer | Android Build Merger (Role) <noreply-android-build-merger@google.com> | 2019-09-11 15:10:08 +0000 |
| commit | 46b849f3633f8ddd20e026df29e5f586d40376a6 (patch) | |
| tree | 4ef236d4103cf2993efc9ec1ca6fcf44c0dd85ff | |
| parent | bbb4493b0a72d9661634e28e116383e76dffbfeb (diff) | |
| parent | 44ef83511ebd7ff8fb249b6b5efef3748ac4d462 (diff) | |
| download | chromium-libpac-46b849f3633f8ddd20e026df29e5f586d40376a6.tar.gz | |
[automerger] Fix use-after-free in proxy resolver am: ed9838b89e am: cdc21af3ac am: 44ef83511e
Change-Id: Id86c4d284944366c2b28a3ba6eb759202ab9c715
| -rw-r--r-- | src/proxy_resolver_v8.cc | 3 | ||||
| -rw-r--r-- | test/js-unittest/b_139806216.js | 4 | ||||
| -rw-r--r-- | test/proxy_resolver_v8_unittest.cc | 15 | ||||
| -rw-r--r-- | test/proxy_test_script.h | 6 |
4 files changed, 26 insertions, 2 deletions
diff --git a/src/proxy_resolver_v8.cc b/src/proxy_resolver_v8.cc index 0504b03..5d8b776 100644 --- a/src/proxy_resolver_v8.cc +++ b/src/proxy_resolver_v8.cc @@ -767,9 +767,8 @@ int ProxyResolverV8::SetPacScript(const android::String16& script_data) { v8::V8::SetFlagsFromString(kNoOpt, strlen(kNoOpt)); // Try parsing the PAC script. - ArrayBufferAllocator allocator; v8::Isolate::CreateParams create_params; - create_params.array_buffer_allocator = &allocator; + create_params.array_buffer_allocator = v8::ArrayBuffer::Allocator::NewDefaultAllocator(); context_ = new Context(js_bindings_, error_listener_, v8::Isolate::New(create_params)); int rv; diff --git a/test/js-unittest/b_139806216.js b/test/js-unittest/b_139806216.js new file mode 100644 index 0000000..3a1e34d --- /dev/null +++ b/test/js-unittest/b_139806216.js @@ -0,0 +1,4 @@ +function FindProxyForURL(url, host){ + var x = new ArrayBuffer(1); + return "DIRECT"; +} diff --git a/test/proxy_resolver_v8_unittest.cc b/test/proxy_resolver_v8_unittest.cc index 73e4405..fa11f73 100644 --- a/test/proxy_resolver_v8_unittest.cc +++ b/test/proxy_resolver_v8_unittest.cc @@ -572,5 +572,20 @@ TEST(ProxyResolverV8Test, B_132073833) { EXPECT_EQ("DIRECT", proxies[0]); } +TEST(ProxyResolverV8Test, B_139806216) { + ProxyResolverV8WithMockBindings resolver(new MockJSBindings()); + int result = resolver.SetPacScript(String16(B_139806216_JS)); + EXPECT_EQ(OK, result); + + // Execute FindProxyForURL(). + result = resolver.GetProxyForURL(kQueryUrl, kQueryHost, &kResults); + + EXPECT_EQ(OK, result); + std::vector<std::string> proxies = string16ToProxyList(kResults); + EXPECT_EQ(1U, proxies.size()); + EXPECT_EQ("DIRECT", proxies[0]); +} + + } // namespace } // namespace net diff --git a/test/proxy_test_script.h b/test/proxy_test_script.h index aa10016..bb8502c 100644 --- a/test/proxy_test_script.h +++ b/test/proxy_test_script.h @@ -27,6 +27,12 @@ "\n" \ "var object;\n" \ +#define B_139806216_JS \ + "function FindProxyForURL(url, host){\n" \ + " var x = new ArrayBuffer(1);\n" \ + " return \"DIRECT\";\n" \ + "}\n" \ + #define BINDING_FROM_GLOBAL_JS \ "// Calls a bindings outside of FindProxyForURL(). This causes the code to\n" \ "// get exercised during initialization.\n" \ |