Prevent 2 types of extension crashes.

If javascript code puts custom toJSON functions on Array.prototype, our 
extension API code detects malformed requests and kills the offending renderer.

Also, the browser can crash if a browser action popup process dies (for various
reasons, including this json serialization problem).


BUG=29283
TEST=Create an extension with a browser action popup that loads prototype.js, and then calls chrome.tabs.update(). 
Before this change, the popup bubble will crash, and when you click away, crash the browser too. 

Review URL: http://codereview.chromium.org/466065

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@34263 0039d316-1c4b-4281-b951-d872f2087c98

1 files changed, 14 insertions, 0 deletions

diff --git a/chrome/renderer/resources/extension_process_bindings.js b/chrome/renderer/resources/extension_process_bindings.js
index 7d8cac8..1ccbd85 100644
--- a/chrome/renderer/resources/extension_process_bindings.js
+++ b/chrome/renderer/resources/extension_process_bindings.js
@@ -166,7 +166,21 @@ var chrome = chrome || {};
     // JSON.stringify doesn't support a root object which is undefined.
     if (request.args === undefined)
       request.args = null;
+
+    // Some javascript libraries (e.g. prototype.js version <= 1.6) add a toJSON
+    // serializer function on Array.prototype that is incompatible with our
+    // native JSON library, causing incorrect deserialization in the C++ side of
+    // StartRequest. We work around that here by temporarily removing the toJSON
+    // function.
+    var arrayToJsonTmp;
+    if (Array.prototype.toJSON) {
+      arrayToJsonTmp = Array.prototype.toJSON;
+      Array.prototype.toJSON = null;
+    }
     var sargs = JSON.stringify(request.args);
+    if (arrayToJsonTmp) {
+      Array.prototype.toJSON = arrayToJsonTmp;
+    }
     var requestId = GetNextRequestId();
     requests[requestId] = request;
     return StartRequest(functionName, sargs, requestId,