[Backport] CVE-2019-5786

Merge M72: FileReader: Make a copy of the ArrayBuffer when returning partial results.

This is to avoid accidentally ending up with multiple references to the
same underlying ArrayBuffer. The extra performance overhead of this is
minimal as usage of partial results is very rare anyway (as can be seen
on https://www.chromestatus.com/metrics/feature/timeline/popularity/2158).

Bug: 936448
Reviewed-on: https://chromium-review.googlesource.com/c/1492873
Task-number: QTBUG-74254
Change-Id: I00f95963946c1258f6a1e7da814fb41a957df569
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
Reviewed-by: Michael Brüning <michael.bruning@qt.io>

1 files changed, 6 insertions, 4 deletions

diff --git a/chromium/third_party/WebKit/Source/core/fileapi/FileReaderLoader.cpp b/chromium/third_party/WebKit/Source/core/fileapi/FileReaderLoader.cpp
index 04a018b52f7..bd638690694 100644
--- a/chromium/third_party/WebKit/Source/core/fileapi/FileReaderLoader.cpp
+++ b/chromium/third_party/WebKit/Source/core/fileapi/FileReaderLoader.cpp
@@ -325,11 +325,13 @@ DOMArrayBuffer* FileReaderLoader::arrayBufferResult() {
   if (m_arrayBufferResult)
     return m_arrayBufferResult;
 
-  DOMArrayBuffer* result = DOMArrayBuffer::create(m_rawData->toArrayBuffer());
-  if (m_finishedLoading) {
-    m_arrayBufferResult = result;
+  if (!m_finishedLoading) {
+    return DOMArrayBuffer::create(
+        ArrayBuffer::create(m_rawData->data(), m_rawData->byteLength()));
   }
-  return result;
+
+  m_arrayBufferResult = DOMArrayBuffer::create(m_rawData->toArrayBuffer());
+  return m_arrayBufferResult;
 }
 
 String FileReaderLoader::stringResult() {