Closed
Bug 1445590
Opened 6 years ago
Closed 6 years ago
postMessage() with transfer crash
Categories
(Core :: DOM: Core & HTML, defect)
Core
DOM: Core & HTML
Tracking
()
RESOLVED
FIXED
mozilla61
Tracking | Status | |
---|---|---|
firefox61 | --- | fixed |
People
(Reporter: annevk, Assigned: baku)
References
Details
Attachments
(2 files)
Run this within the web-platform-tests framework with ".js" replaced with ".html" in the address bar
1.33 KB,
text/javascript
|
Details | |
3.56 KB,
patch
|
smaug
:
review+
|
Details | Diff | Splinter Review |
I found this while working on tests for https://github.com/whatwg/html/pull/3557. I'd like to make the tests public since they are needed to move the specification forward, but I could probably leave the crashing bits out. In particular the "assert_throws" lines in the third and fourth test seem to trigger this.
Reporter | ||
Comment 1•6 years ago
|
||
This blocks bug 1441141 but I'm not marking it as such since I'm not sure if the UI ends up exposing that publicly, which would be somewhat bad (although I guess I did discuss the postMessage() nature on IRC already...).
Assignee | ||
Updated•6 years ago
|
Assignee: nobody → amarchesini
Assignee | ||
Comment 2•6 years ago
|
||
Attachment #8958814 -
Flags: review?(bugs)
Updated•6 years ago
|
Group: core-security → dom-core-security
Assignee | ||
Comment 4•6 years ago
|
||
(In reply to Olli Pettay [:smaug] from comment #3) > Could you explain the issue a bit? Sure. StructuredCloneHolder calls: https://searchfox.org/mozilla-central/source/dom/base/StructuredCloneHolder.cpp#1258 Where we assume that mData exists: https://searchfox.org/mozilla-central/source/dom/canvas/ImageBitmap.cpp#799 But if the image is closed, mData is null: https://searchfox.org/mozilla-central/source/dom/canvas/ImageBitmap.cpp#552 A closed image is detached: https://html.spec.whatwg.org/multipage/imagebitmap-and-animations.html#dom-imagebitmap-close And a detached object cannot be transferred: https://html.spec.whatwg.org/multipage/structured-data.html#structuredserializewithtransfer The fix checks if mData is null. If yes, it returns a null object in ToCloneData.
Flags: needinfo?(amarchesini)
Updated•6 years ago
|
Attachment #8958814 -
Flags: review?(bugs) → review+
Pushed by amarchesini@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/95ab98a246e6 ImageBitmap cannot be cloned/transferred if already closed, r=smaug
Comment 7•6 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/95ab98a246e6
Status: NEW → RESOLVED
Closed: 6 years ago
status-firefox61:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla61
Updated•5 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•