diff options
| author | darin@chromium.org <darin@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2011-02-04 00:39:34 +0000 |
|---|---|---|
| committer | darin@chromium.org <darin@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2011-02-04 00:39:34 +0000 |
| commit | 55181778eaf298eb2035f64d20a7ebe4e447a75e (patch) | |
| tree | 691b9d2524539f3818f93c91db601a73632fa513 /webkit/plugins/ppapi | |
| parent | 0e3ff908d6a65ea0e86ebf6a0093d2f12f16034d (diff) | |
| download | chromium_src-55181778eaf298eb2035f64d20a7ebe4e447a75e.zip chromium_src-55181778eaf298eb2035f64d20a7ebe4e447a75e.tar.gz chromium_src-55181778eaf298eb2035f64d20a7ebe4e447a75e.tar.bz2 | |
Copy buffers in base::FileUtilProxy::{Read,Write} to avoid memory corruption.
If caller has called PPB_FileIO_Impl::Close() while a read or
write operation is in flight, and deletes the read or write buffer, we now avoid corrupting memory.
For Write, FileUtilProxy::Write simply copies the input buffer before passing control to the FILE thread. For Read, the caller no longer passes a buffer; instead, they are passed a const char* in the ReadCallback.
One caller of FileUtilProxy::Read outside of PPAPI was also updated.
BUG=70285
R=darin
Patch by Adam Klein (adamk@chromium.org)
Originally reviewed at http://codereview.chromium.org/6312040/
Review URL: http://codereview.chromium.org/6349090
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@73714 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'webkit/plugins/ppapi')
| -rw-r--r-- | webkit/plugins/ppapi/ppb_file_io_impl.cc | 36 | ||||
| -rw-r--r-- | webkit/plugins/ppapi/ppb_file_io_impl.h | 8 |
2 files changed, 35 insertions, 9 deletions
diff --git a/webkit/plugins/ppapi/ppb_file_io_impl.cc b/webkit/plugins/ppapi/ppb_file_io_impl.cc index ac8004b..fab8c7b 100644 --- a/webkit/plugins/ppapi/ppb_file_io_impl.cc +++ b/webkit/plugins/ppapi/ppb_file_io_impl.cc @@ -205,7 +205,8 @@ PPB_FileIO_Impl::PPB_FileIO_Impl(PluginInstance* instance) ALLOW_THIS_IN_INITIALIZER_LIST(callback_factory_(this)), file_(base::kInvalidPlatformFileValue), callback_(), - info_(NULL) { + info_(NULL), + read_buffer_(NULL) { } PPB_FileIO_Impl::~PPB_FileIO_Impl() { @@ -311,10 +312,14 @@ int32_t PPB_FileIO_Impl::Read(int64_t offset, if (rv != PP_OK) return rv; + // If |read_buffer__|, a callback should be pending (caught above). + DCHECK(!read_buffer_); + read_buffer_ = buffer; + if (!base::FileUtilProxy::Read( instance()->delegate()->GetFileThreadMessageLoopProxy(), - file_, offset, buffer, bytes_to_read, - callback_factory_.NewCallback(&PPB_FileIO_Impl::ReadWriteCallback))) + file_, offset, bytes_to_read, + callback_factory_.NewCallback(&PPB_FileIO_Impl::ReadCallback))) return PP_ERROR_FAILED; RegisterCallback(callback); @@ -332,7 +337,7 @@ int32_t PPB_FileIO_Impl::Write(int64_t offset, if (!base::FileUtilProxy::Write( instance()->delegate()->GetFileThreadMessageLoopProxy(), file_, offset, buffer, bytes_to_write, - callback_factory_.NewCallback(&PPB_FileIO_Impl::ReadWriteCallback))) + callback_factory_.NewCallback(&PPB_FileIO_Impl::WriteCallback))) return PP_ERROR_FAILED; RegisterCallback(callback); @@ -469,12 +474,29 @@ void PPB_FileIO_Impl::QueryInfoCallback( RunPendingCallback(PlatformFileErrorToPepperError(error_code)); } -void PPB_FileIO_Impl::ReadWriteCallback(base::PlatformFileError error_code, - int bytes_read_or_written) { +void PPB_FileIO_Impl::ReadCallback(base::PlatformFileError error_code, + const char* data, int bytes_read) { + DCHECK(data); + DCHECK(read_buffer_); + + int rv; + if (error_code == base::PLATFORM_FILE_OK) { + rv = bytes_read; + if (file_ != base::kInvalidPlatformFileValue) + memcpy(read_buffer_, data, bytes_read); + } else + rv = PlatformFileErrorToPepperError(error_code); + + read_buffer_ = NULL; + RunPendingCallback(rv); +} + +void PPB_FileIO_Impl::WriteCallback(base::PlatformFileError error_code, + int bytes_written) { if (error_code != base::PLATFORM_FILE_OK) RunPendingCallback(PlatformFileErrorToPepperError(error_code)); else - RunPendingCallback(bytes_read_or_written); + RunPendingCallback(bytes_written); } } // namespace ppapi diff --git a/webkit/plugins/ppapi/ppb_file_io_impl.h b/webkit/plugins/ppapi/ppb_file_io_impl.h index 3786540..3bc2742 100644 --- a/webkit/plugins/ppapi/ppb_file_io_impl.h +++ b/webkit/plugins/ppapi/ppb_file_io_impl.h @@ -95,8 +95,9 @@ class PPB_FileIO_Impl : public Resource { base::PlatformFile file); void QueryInfoCallback(base::PlatformFileError error_code, const base::PlatformFileInfo& file_info); - void ReadWriteCallback(base::PlatformFileError error_code, - int bytes_read_or_written); + void ReadCallback(base::PlatformFileError error_code, + const char* data, int bytes_read); + void WriteCallback(base::PlatformFileError error_code, int bytes_written); base::ScopedCallbackFactory<PPB_FileIO_Impl> callback_factory_; @@ -110,6 +111,9 @@ class PPB_FileIO_Impl : public Resource { // pending for it. PP_FileInfo_Dev* info_; + // Pointer back to the caller's read buffer; used by |Read()|. Not owned. + char* read_buffer_; + DISALLOW_COPY_AND_ASSIGN(PPB_FileIO_Impl); }; |