Fix use-after-free in proxy resolver

Bug: 139806216
Test: m -j proxy_resolver_v8_unittest && adb sync && adb shell \
      /data/nativetest64/proxy_resolver_v8_unittest/proxy_resolver_v8_unittest

Change-Id: I663829a8a7467f50f9b11fd8b787108ff5d64acc
(cherry picked from commit 061a73bd2d79c4bec5780b9b84dceead30a2b767)
diff --git a/src/proxy_resolver_v8.cc b/src/proxy_resolver_v8.cc
index 289102e..5884bd1 100644
--- a/src/proxy_resolver_v8.cc
+++ b/src/proxy_resolver_v8.cc
@@ -767,9 +767,8 @@
   v8::V8::SetFlagsFromString(kNoOpt, strlen(kNoOpt));
 
   // Try parsing the PAC script.
-  ArrayBufferAllocator allocator;
   v8::Isolate::CreateParams create_params;
-  create_params.array_buffer_allocator = &allocator;
+  create_params.array_buffer_allocator = v8::ArrayBuffer::Allocator::NewDefaultAllocator();
 
   context_ = new Context(js_bindings_, error_listener_, v8::Isolate::New(create_params));
   int rv;
diff --git a/test/js-unittest/b_139806216.js b/test/js-unittest/b_139806216.js
new file mode 100644
index 0000000..3a1e34d
--- /dev/null
+++ b/test/js-unittest/b_139806216.js
@@ -0,0 +1,4 @@
+function FindProxyForURL(url, host){
+    var x = new ArrayBuffer(1);
+    return "DIRECT";
+}
diff --git a/test/proxy_resolver_v8_unittest.cc b/test/proxy_resolver_v8_unittest.cc
index 66b2a23..3f6d20f 100644
--- a/test/proxy_resolver_v8_unittest.cc
+++ b/test/proxy_resolver_v8_unittest.cc
@@ -643,5 +643,20 @@
   EXPECT_EQ("DIRECT", proxies[0]);
 }
 
+TEST(ProxyResolverV8Test, B_139806216) {
+  ProxyResolverV8WithMockBindings resolver(new MockJSBindings());
+  int result = resolver.SetPacScript(SCRIPT(B_139806216_JS));
+  EXPECT_EQ(OK, result);
+
+  // Execute FindProxyForURL().
+  result = resolver.GetProxyForURL(kQueryUrl, kQueryHost, &kResults);
+
+  EXPECT_EQ(OK, result);
+  std::vector<std::string> proxies = string16ToProxyList(kResults);
+  EXPECT_EQ(1U, proxies.size());
+  EXPECT_EQ("DIRECT", proxies[0]);
+}
+
+
 }  // namespace
 }  // namespace net
diff --git a/test/proxy_test_script.h b/test/proxy_test_script.h
index 0d1b77e..500a57a 100644
--- a/test/proxy_test_script.h
+++ b/test/proxy_test_script.h
@@ -28,6 +28,13 @@
   "\n" \
   "var object;\n" \
 
+#define B_139806216_JS \
+  u""\
+  "function FindProxyForURL(url, host){\n" \
+  "    var x = new ArrayBuffer(1);\n" \
+  "    return \"DIRECT\";\n" \
+  "}\n" \
+
 #define BINDING_FROM_GLOBAL_JS \
   u""\
   "// Calls a bindings outside of FindProxyForURL(). This causes the code to\n" \