Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Cherry-pick 265870.9@safari-7616-branch (d372d5e). https://bugs.webki…
…t.org/show_bug.cgi?id=258583 Fix heap-use-after-free MemoryIDBBackingStore https://bugs.webkit.org/show_bug.cgi?id=258583 rdar://109095466 Reviewed by Brady Eidson. We delete the object store in MemoryIDBBackingStore::deleteObjectStore but can still end up dereferencing the dangling pointer in MemoryBackingStoreTransaction::abort when going through m_originalObjectStoreNames. This change removes the deleted object store's pointer from m_originalObjectStoreNames so we don't hold on to anything we shouldn't de-reference, and hence fixes the heap use-after-free. * Source/WebCore/Modules/indexeddb/server/MemoryBackingStoreTransaction.cpp: (WebCore::IDBServer::MemoryBackingStoreTransaction::objectStoreDeleted): * LayoutTests/storage/indexeddb/memory-backing-store-crash-expected.txt: Added. * LayoutTests/storage/indexeddb/memory-backing-store-crash.html: Added. Canonical link: https://commits.webkit.org/265870.9@safari-7616-branch
- Loading branch information