commit e15fe22832b73d77b93b7eb914a250b5663f05c2
author Rubin Xu <rubinxu@google.com> Fri Sep 13 02:58:52 2019 -0700
committer android-build-merger <android-build-merger@google.com> Fri Sep 13 02:58:52 2019 -0700
tree 4ef236d4103cf2993efc9ec1ca6fcf44c0dd85ff
parent b178a2136df99b9ef50ec002d08b03fbb5162115
parent cfac906e4e92f35934ee9b02de104e5f976a8042

[automerger] Fix use-after-free in proxy resolver am: ed9838b89e am: cdc21af3ac am: 44ef83511e am: 46b849f363
am: cfac906e4e

Change-Id: I795840c6d3781015501785f72fbf1e711da8ef41

src/proxy_resolver_v8.cc

diff --git a/src/proxy_resolver_v8.cc b/src/proxy_resolver_v8.cc
index 0504b03..5d8b776 100644
--- a/src/proxy_resolver_v8.cc
+++ b/src/proxy_resolver_v8.cc
@@ -767,9 +767,8 @@
   v8::V8::SetFlagsFromString(kNoOpt, strlen(kNoOpt));
 
   // Try parsing the PAC script.
-  ArrayBufferAllocator allocator;
   v8::Isolate::CreateParams create_params;
-  create_params.array_buffer_allocator = &allocator;
+  create_params.array_buffer_allocator = v8::ArrayBuffer::Allocator::NewDefaultAllocator();
 
   context_ = new Context(js_bindings_, error_listener_, v8::Isolate::New(create_params));
   int rv;

test/js-unittest/b_139806216.js

diff --git a/test/js-unittest/b_139806216.js b/test/js-unittest/b_139806216.js
new file mode 100644
index 0000000..3a1e34d
--- /dev/null
+++ b/test/js-unittest/b_139806216.js
@@ -0,0 +1,4 @@
+function FindProxyForURL(url, host){
+    var x = new ArrayBuffer(1);
+    return "DIRECT";
+}

test/proxy_resolver_v8_unittest.cc

diff --git a/test/proxy_resolver_v8_unittest.cc b/test/proxy_resolver_v8_unittest.cc
index 73e4405..fa11f73 100644
--- a/test/proxy_resolver_v8_unittest.cc
+++ b/test/proxy_resolver_v8_unittest.cc
@@ -572,5 +572,20 @@
   EXPECT_EQ("DIRECT", proxies[0]);
 }
 
+TEST(ProxyResolverV8Test, B_139806216) {
+  ProxyResolverV8WithMockBindings resolver(new MockJSBindings());
+  int result = resolver.SetPacScript(String16(B_139806216_JS));
+  EXPECT_EQ(OK, result);
+
+  // Execute FindProxyForURL().
+  result = resolver.GetProxyForURL(kQueryUrl, kQueryHost, &kResults);
+
+  EXPECT_EQ(OK, result);
+  std::vector<std::string> proxies = string16ToProxyList(kResults);
+  EXPECT_EQ(1U, proxies.size());
+  EXPECT_EQ("DIRECT", proxies[0]);
+}
+
+
 }  // namespace
 }  // namespace net

test/proxy_test_script.h

diff --git a/test/proxy_test_script.h b/test/proxy_test_script.h
index aa10016..bb8502c 100644
--- a/test/proxy_test_script.h
+++ b/test/proxy_test_script.h
@@ -27,6 +27,12 @@
   "\n" \
   "var object;\n" \
 
+#define B_139806216_JS \
+  "function FindProxyForURL(url, host){\n" \
+  "    var x = new ArrayBuffer(1);\n" \
+  "    return \"DIRECT\";\n" \
+  "}\n" \
+
 #define BINDING_FROM_GLOBAL_JS \
   "// Calls a bindings outside of FindProxyForURL(). This causes the code to\n" \
   "// get exercised during initialization.\n" \