Skip to site navigation (Press enter)

[webkit-changes] [247787] trunk/Source/WebKit

beidson Wed, 24 Jul 2019 13:29:18 -0700

Title: [247787] trunk/Source/WebKit

Revision: 247787
Author: beid...@apple.com
Date: 2019-07-24 13:28:31 -0700 (Wed, 24 Jul 2019)

Log Message

Crash in WebContent process with custom schemes.
<rdar://problem/52968793> and https://bugs.webkit.org/show_bug.cgi?id=200062


Reviewed by Andy Estes.

Almost everywhere in WebURLSchemeTaskProxy where we call processNextPendingTask() we first protect the task with a ref.
But not in didReceiveData.
So lets do that.

* WebProcess/WebPage/WebURLSchemeTaskProxy.cpp:
(WebKit::WebURLSchemeTaskProxy::didReceiveData): Protect this.

Modified Paths

trunk/Source/WebKit/ChangeLog
trunk/Source/WebKit/WebProcess/WebPage/WebURLSchemeTaskProxy.cpp

Diff

Modified: trunk/Source/WebKit/ChangeLog (247786 => 247787)


--- trunk/Source/WebKit/ChangeLog	2019-07-24 20:18:50 UTC (rev 247786)
+++ trunk/Source/WebKit/ChangeLog	2019-07-24 20:28:31 UTC (rev 247787)
@@ -1,3 +1,17 @@
+2019-07-24  Brady Eidson  <beid...@apple.com>
+
+        Crash in WebContent process with custom schemes.
+        <rdar://problem/52968793> and https://bugs.webkit.org/show_bug.cgi?id=200062
+
+        Reviewed by Andy Estes.
+
+        Almost everywhere in WebURLSchemeTaskProxy where we call processNextPendingTask() we first protect the task with a ref.
+        But not in didReceiveData.
+        So lets do that.
+
+        * WebProcess/WebPage/WebURLSchemeTaskProxy.cpp:
+        (WebKit::WebURLSchemeTaskProxy::didReceiveData): Protect this.
+
 2019-07-24  Alex Christensen  <achristen...@webkit.org>
 
         Null check CompletionHandler in WebPreviewLoaderClient::didReceivePassword

Modified: trunk/Source/WebKit/WebProcess/WebPage/WebURLSchemeTaskProxy.cpp (247786 => 247787)


--- trunk/Source/WebKit/WebProcess/WebPage/WebURLSchemeTaskProxy.cpp	2019-07-24 20:18:50 UTC (rev 247786)
+++ trunk/Source/WebKit/WebProcess/WebPage/WebURLSchemeTaskProxy.cpp	2019-07-24 20:28:31 UTC (rev 247787)
@@ -125,6 +125,7 @@
         return;
     }
 
+    auto protectedThis = makeRef(*this);
     m_coreLoader->didReceiveData(reinterpret_cast<const char*>(data), size, 0, DataPayloadType::DataPayloadBytes);
     processNextPendingTask();
 }

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes