[webkit-changes] [227772] trunk/Source/WebKit

[rniwa]

Title: [227772] trunk/Source/WebKit

Revision

227772

Author

rn...@webkit.org

Date

2018-01-29 21:56:36 -0800 (Mon, 29 Jan 2018)

Log Message

Release assert in updateLayout while waiting for sync reply to WebPageProxy::HasInsecureContent
https://bugs.webkit.org/show_bug.cgi?id=182273

Reviewed by Chris Dumez.

The assertion was caused by unrelated sync IPCs being processed while WebContent process is waiting for
the reply to WebPageProxy::HasInsecureContent. Since this IPC can be used while creating CachedFrame,
it's not safe to execute arbitrary code.

Fixed the bug by using DoNotProcessIncomingMessagesWhenWaitingForSyncReply added in r227566.

* WebProcess/WebCoreSupport/WebFrameLoaderClient.cpp:
(WebKit::WebFrameLoaderClient::savePlatformDataToCachedFrame):

Modified Paths

• trunk/Source/WebKit/ChangeLog
• trunk/Source/WebKit/WebProcess/WebCoreSupport/WebFrameLoaderClient.cpp

Diff

Modified: trunk/Source/WebKit/ChangeLog (227771 => 227772)

--- trunk/Source/WebKit/ChangeLog	2018-01-30 05:36:38 UTC (rev 227771)
+++ trunk/Source/WebKit/ChangeLog	2018-01-30 05:56:36 UTC (rev 227772)
@@ -1,3 +1,19 @@
+2018-01-29  Ryosuke Niwa  <rn...@webkit.org>
+
+        Release assert in updateLayout while waiting for sync reply to WebPageProxy::HasInsecureContent
+        https://bugs.webkit.org/show_bug.cgi?id=182273
+
+        Reviewed by Chris Dumez.
+
+        The assertion was caused by unrelated sync IPCs being processed while WebContent process is waiting for
+        the reply to WebPageProxy::HasInsecureContent. Since this IPC can be used while creating CachedFrame,
+        it's not safe to execute arbitrary code.
+
+        Fixed the bug by using DoNotProcessIncomingMessagesWhenWaitingForSyncReply added in r227566.
+
+        * WebProcess/WebCoreSupport/WebFrameLoaderClient.cpp:
+        (WebKit::WebFrameLoaderClient::savePlatformDataToCachedFrame):
+
 2018-01-29  Wenson Hsieh  <wenson_hs...@apple.com>
 
         Add a build step to copy resources from WebKitAdditions as bundle resources in WebKit

Modified: trunk/Source/WebKit/WebProcess/WebCoreSupport/WebFrameLoaderClient.cpp (227771 => 227772)

--- trunk/Source/WebKit/WebProcess/WebCoreSupport/WebFrameLoaderClient.cpp	2018-01-30 05:36:38 UTC (rev 227771)
+++ trunk/Source/WebKit/WebProcess/WebCoreSupport/WebFrameLoaderClient.cpp	2018-01-30 05:56:36 UTC (rev 227772)
@@ -1371,7 +1371,7 @@
         return;
 
     HasInsecureContent hasInsecureContent;
-    if (webPage->sendSync(Messages::WebPageProxy::HasInsecureContent(), Messages::WebPageProxy::HasInsecureContent::Reply(hasInsecureContent)))
+    if (webPage->sendSync(Messages::WebPageProxy::HasInsecureContent(), Messages::WebPageProxy::HasInsecureContent::Reply(hasInsecureContent), Seconds::infinity(), IPC::SendSyncOption::DoNotProcessIncomingMessagesWhenWaitingForSyncReply))
         cachedFrame->setHasInsecureContent(hasInsecureContent);
 }
 

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes