Skip to content

Commit

Permalink
Cherry-pick 265870.9@safari-7616-branch (d372d5e). https://bugs.webki…
Browse files Browse the repository at this point in the history 
…t.org/show_bug.cgi?id=258583

    Fix heap-use-after-free MemoryIDBBackingStore
    https://bugs.webkit.org/show_bug.cgi?id=258583
    rdar://109095466

    Reviewed by Brady Eidson.

    We delete the object store in MemoryIDBBackingStore::deleteObjectStore
    but can still end up dereferencing the dangling pointer in
    MemoryBackingStoreTransaction::abort when going through
    m_originalObjectStoreNames. This change removes the deleted object
    store's pointer from m_originalObjectStoreNames so we don't hold on to
    anything we shouldn't de-reference, and hence fixes the heap
    use-after-free.

    * Source/WebCore/Modules/indexeddb/server/MemoryBackingStoreTransaction.cpp:
    (WebCore::IDBServer::MemoryBackingStoreTransaction::objectStoreDeleted):
    * LayoutTests/storage/indexeddb/memory-backing-store-crash-expected.txt: Added.
    * LayoutTests/storage/indexeddb/memory-backing-store-crash.html: Added.

    Canonical link: https://commits.webkit.org/265870.9@safari-7616-branch
  • Loading branch information
@chirags27 @mcatanzaro
chirags27 authored and mcatanzaro committed Sep 26, 2023
1 parent a209cbf commit a1b5274
Show file tree
Hide file tree
Showing 3 changed files with 13 additions and 0 deletions.
1 change: 1 addition & 0 deletions LayoutTests/storage/indexeddb/memory-backing-store-crash-expected.txt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@

10 changes: 10 additions & 0 deletions LayoutTests/storage/indexeddb/memory-backing-store-crash.html
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
<!-- webkit-test-runner [ useEphemeralSession=true ] -->
<script>
if (window.testRunner)
testRunner.dumpAsText()
let request = indexedDB.open('a', 1);
request.addEventListener('upgradeneeded', () => {
request.result.createObjectStore('b').name = 'c';
request.result.deleteObjectStore('c');
});
</script>
2 changes: 2 additions & 0 deletions Source/WebCore/Modules/indexeddb/server/MemoryBackingStoreTransaction.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -115,6 +115,8 @@ void MemoryBackingStoreTransaction::objectStoreDeleted(Ref<MemoryObjectStore>&&
{
ASSERT(m_objectStores.contains(&objectStore.get()));
m_objectStores.remove(&objectStore.get());
if (m_originalObjectStoreNames.contains(&objectStore.get()))
m_originalObjectStoreNames.remove(&objectStore.get());
objectStore->deleteAllIndexes(*this);

// If the store removed is previously added in this transaction, we don't need to
Expand Down

0 comments on commit a1b5274

Please sign in to comment.