Issue 905529 link

Starred by 1 user

Issue metadata

Status:	Fixed
Owner:	rockot@google.com
Closed:	Nov 15
Components:	Internals>Mojo>Bindings
EstimatedDays:	----
NextAction:	----
OS:	----
Pri:	1
Type:	Bug

Mojo JS lite bindings encode arrays of structs incorrectly

Project Member Reported by rockot@google.com, Nov 15

Issue description

Well, the encoding is fine, but we allocate the wrong message size and end up trying to go out of bounds on the message buffer.

Project Member

Comment 1 by bugdroid1@chromium.org, Nov 15

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/af08f139a88f8655bb1dcef2ef8e8da2a729a9bd

commit af08f139a88f8655bb1dcef2ef8e8da2a729a9bd
Author: Ken Rockot <rockot@google.com>
Date: Thu Nov 15 03:29:16 2018

[mojo-bindings] Fix complex arrays for JS lite

We underestimate the total size of a message carrying arrays with struct
elements. This fixes that.

Bug:  905529 
Change-Id: Ib05fa52e42d850c3ebe38bd4f716f7c1327e4cd7
Reviewed-on: https://chromium-review.googlesource.com/c/1336779
Reviewed-by: calamity <calamity@chromium.org>
Commit-Queue: Ken Rockot <rockot@google.com>
Cr-Commit-Position: refs/heads/master@{#608246}
[modify] https://crrev.com/af08f139a88f8655bb1dcef2ef8e8da2a729a9bd/content/test/data/lite_js_test.mojom
[modify] https://crrev.com/af08f139a88f8655bb1dcef2ef8e8da2a729a9bd/mojo/public/js/bindings_lite.js
[modify] https://crrev.com/af08f139a88f8655bb1dcef2ef8e8da2a729a9bd/third_party/WebKit/LayoutTests/mojo/bindings-lite.html

Comment 2 by rockot@google.com, Nov 15

Status: Fixed (was: Started)

►

Issue 905529 link

Issue metadata

Mojo JS lite bindings encode arrays of structs incorrectly

Issue description

Comment 1 by bugdroid1@chromium.org, Nov 15

Comment 1 Deleted

Comment 2 by rockot@google.com, Nov 15

Comment 2 Deleted

Sign in to add a comment