Title: [229774] trunk/Source/WebKit
- Revision
- 229774
- Author
- [email protected]
- Date
- 2018-03-20 14:53:38 -0700 (Tue, 20 Mar 2018)
Log Message
ServiceWorkerClientFetch::didReceiveData should check for m_encodedDataLength
https://bugs.webkit.org/show_bug.cgi?id=183668
Reviewed by Chris Dumez.
Crash happens when releasing a RefPtr<SharedBuffer> buffer that is null.
It happens because ServiceWorkerClientFetch can call m_loader->didReceiveBuffer at two different places.
Either when receiving an IPC call or as part of completion handler for the response validation check.
At each call site, we release the buffer to pass it to the loader and we set m_encodedLength to zero.
The fix is to add the m_encodedLength check like done in the case of response validation check completion handler.
* WebProcess/Storage/ServiceWorkerClientFetch.cpp:
(WebKit::ServiceWorkerClientFetch::didReceiveData):
Modified Paths
Diff
Modified: trunk/Source/WebKit/ChangeLog (229773 => 229774)
--- trunk/Source/WebKit/ChangeLog 2018-03-20 21:21:06 UTC (rev 229773)
+++ trunk/Source/WebKit/ChangeLog 2018-03-20 21:53:38 UTC (rev 229774)
@@ -1,3 +1,19 @@
+2018-03-20 Youenn Fablet <[email protected]>
+
+ ServiceWorkerClientFetch::didReceiveData should check for m_encodedDataLength
+ https://bugs.webkit.org/show_bug.cgi?id=183668
+
+ Reviewed by Chris Dumez.
+
+ Crash happens when releasing a RefPtr<SharedBuffer> buffer that is null.
+ It happens because ServiceWorkerClientFetch can call m_loader->didReceiveBuffer at two different places.
+ Either when receiving an IPC call or as part of completion handler for the response validation check.
+ At each call site, we release the buffer to pass it to the loader and we set m_encodedLength to zero.
+ The fix is to add the m_encodedLength check like done in the case of response validation check completion handler.
+
+ * WebProcess/Storage/ServiceWorkerClientFetch.cpp:
+ (WebKit::ServiceWorkerClientFetch::didReceiveData):
+
2018-03-20 Jeff Miller <[email protected]>
Expose aggressiveTileRetentionEnabled in WKPreferences SPI to match C SPI
Modified: trunk/Source/WebKit/WebProcess/Storage/ServiceWorkerClientFetch.cpp (229773 => 229774)
--- trunk/Source/WebKit/WebProcess/Storage/ServiceWorkerClientFetch.cpp 2018-03-20 21:21:06 UTC (rev 229773)
+++ trunk/Source/WebKit/WebProcess/Storage/ServiceWorkerClientFetch.cpp 2018-03-20 21:53:38 UTC (rev 229774)
@@ -175,7 +175,7 @@
return;
callOnMainThread([this, protectedThis = makeRef(*this)] {
- if (!m_loader)
+ if (!m_loader || !m_encodedDataLength)
return;
m_loader->didReceiveBuffer(m_buffer.releaseNonNull(), m_encodedDataLength, DataPayloadBytes);
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
