[Backport] CVE-2019-5786v5.12.2

Merge M72: FileReader: Make a copy of the ArrayBuffer when returning partial results.

This is to avoid accidentally ending up with multiple references to the
same underlying ArrayBuffer. The extra performance overhead of this is
minimal as usage of partial results is very rare anyway (as can be seen
on https://www.chromestatus.com/metrics/feature/timeline/popularity/2158).

Bug: 936448
Reviewed-on: https://chromium-review.googlesource.com/c/1492873
Task-number: QTBUG-74254
Change-Id: I00f95963946c1258f6a1e7da814fb41a957df569
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>

1 files changed, 9 insertions, 7 deletions

diff --git a/chromium/third_party/blink/renderer/core/fileapi/file_reader_loader.cc b/chromium/third_party/blink/renderer/core/fileapi/file_reader_loader.cc
index 88fa2d46436..37d063d219f 100644
--- a/chromium/third_party/blink/renderer/core/fileapi/file_reader_loader.cc
+++ b/chromium/third_party/blink/renderer/core/fileapi/file_reader_loader.cc
@@ -135,14 +135,16 @@ DOMArrayBuffer* FileReaderLoader::ArrayBufferResult() {
   if (!raw_data_ || error_code_)
     return nullptr;
 
-  DOMArrayBuffer* result = DOMArrayBuffer::Create(raw_data_->ToArrayBuffer());
-  if (finished_loading_) {
-    array_buffer_result_ = result;
-    AdjustReportedMemoryUsageToV8(
-        -1 * static_cast<int64_t>(raw_data_->ByteLength()));
-    raw_data_.reset();
+  if (!finished_loading_) {
+    return DOMArrayBuffer::Create(
+        ArrayBuffer::Create(raw_data_->Data(), raw_data_->ByteLength()));
   }
-  return result;
+  array_buffer_result_ = DOMArrayBuffer::Create(raw_data_->ToArrayBuffer());
+  AdjustReportedMemoryUsageToV8(-1 *
+                                static_cast<int64_t>(raw_data_->ByteLength()));
+
+  raw_data_.reset();
+  return array_buffer_result_;
 }
 
 String FileReaderLoader::StringResult() {