From 4cb8afd91bfbe845e9bc2e1eff94e33ad8f8865a Mon Sep 17 00:00:00 2001
From: Allan Sandfeld Jensen <allan.jensen@digia.com>
Date: Fri, 28 Feb 2014 15:40:42 +0100
Subject: Do no allow arbitrarily large buffer during loading

If the network is faster or we get a cache-hit, we can currently
end up processing very large QByteArrays. To lower the maximum memory
pressure and improve caching, we should limit the maximum size of the
buffers.

Task-number: QTBUG-36979
Change-Id: I681e764d95db75aa846de2df8b84ac6630872afb
Reviewed-by: Michael Bruning <michael.bruning@digia.com>
Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
---
 .../platform/network/qt/QNetworkReplyHandler.cpp   | 28 ++++++++++++++++------
 .../platform/network/qt/QNetworkReplyHandler.h     |  1 +
 2 files changed, 22 insertions(+), 7 deletions(-)

diff --git a/Source/WebCore/platform/network/qt/QNetworkReplyHandler.cpp b/Source/WebCore/platform/network/qt/QNetworkReplyHandler.cpp
index a6e0840bf..5990a4075 100644
--- a/Source/WebCore/platform/network/qt/QNetworkReplyHandler.cpp
+++ b/Source/WebCore/platform/network/qt/QNetworkReplyHandler.cpp
@@ -216,6 +216,12 @@ void QNetworkReplyHandlerCallQueue::push(EnqueuedCall method)
     flush();
 }
 
+void QNetworkReplyHandlerCallQueue::requeue(EnqueuedCall method)
+{
+    m_enqueuedCalls.prepend(method);
+    flush();
+}
+
 void QNetworkReplyHandlerCallQueue::lock()
 {
     ++m_locks;
@@ -666,17 +672,25 @@ void QNetworkReplyHandler::forwardData()
 {
     ASSERT(m_replyWrapper && m_replyWrapper->reply() && !wasAborted() && !m_replyWrapper->wasRedirected());
 
-    QByteArray data = m_replyWrapper->reply()->read(m_replyWrapper->reply()->bytesAvailable());
-
     ResourceHandleClient* client = m_resourceHandle->client();
     if (!client)
         return;
 
-    // FIXME: https://bugs.webkit.org/show_bug.cgi?id=19793
-    // -1 means we do not provide any data about transfer size to inspector so it would use
-    // Content-Length headers or content size to show transfer size.
-    if (!data.isEmpty())
-        client->didReceiveData(m_resourceHandle, data.constData(), data.length(), -1);
+    qint64 bytesAvailable = m_replyWrapper->reply()->bytesAvailable();
+    char* buffer = new char[8128]; // smaller than 8192 to fit within 8k including overhead.
+    while (bytesAvailable > 0 && !m_queue.deferSignals()) {
+        qint64 readSize = m_replyWrapper->reply()->read(buffer, 8128);
+        if (readSize <= 0)
+            break;
+        bytesAvailable -= readSize;
+        // FIXME: https://bugs.webkit.org/show_bug.cgi?id=19793
+        // -1 means we do not provide any data about transfer size to inspector so it would use
+        // Content-Length headers or content size to show transfer size.
+        client->didReceiveData(m_resourceHandle, buffer, readSize, -1);
+    }
+    delete[] buffer;
+    if (bytesAvailable > 0)
+        m_queue.requeue(&QNetworkReplyHandler::forwardData);
 }
 
 void QNetworkReplyHandler::uploadProgress(qint64 bytesSent, qint64 bytesTotal)
diff --git a/Source/WebCore/platform/network/qt/QNetworkReplyHandler.h b/Source/WebCore/platform/network/qt/QNetworkReplyHandler.h
index 6bc35cc12..bf838fdc2 100644
--- a/Source/WebCore/platform/network/qt/QNetworkReplyHandler.h
+++ b/Source/WebCore/platform/network/qt/QNetworkReplyHandler.h
@@ -52,6 +52,7 @@ public:
 
     typedef void (QNetworkReplyHandler::*EnqueuedCall)();
     void push(EnqueuedCall method);
+    void requeue(EnqueuedCall method);
     void clear() { m_enqueuedCalls.clear(); }
 
     void lock();
-- 
cgit v1.2.1