From 43316b156e65f867a76ed2afd96bf30696c5f4f6 Mon Sep 17 00:00:00 2001 From: Will Harris Date: Thu, 28 Feb 2019 19:39:57 +0000 Subject: [Backport] CVE-2019-5786 Merge M72: FileReader: Make a copy of the ArrayBuffer when returning partial results. This is to avoid accidentally ending up with multiple references to the same underlying ArrayBuffer. The extra performance overhead of this is minimal as usage of partial results is very rare anyway (as can be seen on https://www.chromestatus.com/metrics/feature/timeline/popularity/2158). Bug: 936448 Reviewed-on: https://chromium-review.googlesource.com/c/1492873 Task-number: QTBUG-74254 Change-Id: I00f95963946c1258f6a1e7da814fb41a957df569 Reviewed-by: Allan Sandfeld Jensen --- .../blink/renderer/core/fileapi/file_reader_loader.cc | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/chromium/third_party/blink/renderer/core/fileapi/file_reader_loader.cc b/chromium/third_party/blink/renderer/core/fileapi/file_reader_loader.cc index 88fa2d46436..37d063d219f 100644 --- a/chromium/third_party/blink/renderer/core/fileapi/file_reader_loader.cc +++ b/chromium/third_party/blink/renderer/core/fileapi/file_reader_loader.cc @@ -135,14 +135,16 @@ DOMArrayBuffer* FileReaderLoader::ArrayBufferResult() { if (!raw_data_ || error_code_) return nullptr; - DOMArrayBuffer* result = DOMArrayBuffer::Create(raw_data_->ToArrayBuffer()); - if (finished_loading_) { - array_buffer_result_ = result; - AdjustReportedMemoryUsageToV8( - -1 * static_cast(raw_data_->ByteLength())); - raw_data_.reset(); + if (!finished_loading_) { + return DOMArrayBuffer::Create( + ArrayBuffer::Create(raw_data_->Data(), raw_data_->ByteLength())); } - return result; + array_buffer_result_ = DOMArrayBuffer::Create(raw_data_->ToArrayBuffer()); + AdjustReportedMemoryUsageToV8(-1 * + static_cast(raw_data_->ByteLength())); + + raw_data_.reset(); + return array_buffer_result_; } String FileReaderLoader::StringResult() { -- cgit v1.2.3