[webkit-changes] [240578] trunk/Source/WebKit

Mon, 28 Jan 2019 05:16:10 -0800

Title: [240578] trunk/Source/WebKit
Revision
240578
Author
[email protected]
Date
2019-01-28 05:15:03 -0800 (Mon, 28 Jan 2019)

Log Message

WebUserContentController::removeUserScriptMessageHandlerInternal may deref and delete itself
https://bugs.webkit.org/show_bug.cgi?id=193901
<rdar://problem/47338669>

Reviewed by David Kilzer.

Don't know how to repro.

* WebProcess/UserContent/WebUserContentController.cpp:
(WebKit::WebUserContentController::removeUserScriptMessageHandlerInternal):

Calling userMessageHandlers.removeFirstMatching() may remove the last ref to this
(because WebUserMessageHandlerDescriptorProxy refs WebUserContentController).
Fix by protecting this over the function.

Modified Paths

Diff

Modified: trunk/Source/WebKit/ChangeLog (240577 => 240578)


--- trunk/Source/WebKit/ChangeLog	2019-01-28 09:46:20 UTC (rev 240577)
+++ trunk/Source/WebKit/ChangeLog	2019-01-28 13:15:03 UTC (rev 240578)
@@ -1,3 +1,20 @@
+2019-01-28  Antti Koivisto  <[email protected]>
+
+        WebUserContentController::removeUserScriptMessageHandlerInternal may deref and delete itself
+        https://bugs.webkit.org/show_bug.cgi?id=193901
+        <rdar://problem/47338669>
+
+        Reviewed by David Kilzer.
+
+        Don't know how to repro.
+
+        * WebProcess/UserContent/WebUserContentController.cpp:
+        (WebKit::WebUserContentController::removeUserScriptMessageHandlerInternal):
+
+        Calling userMessageHandlers.removeFirstMatching() may remove the last ref to this
+        (because WebUserMessageHandlerDescriptorProxy refs WebUserContentController).
+        Fix by protecting this over the function.
+
 2018-12-15  Darin Adler  <[email protected]>
 
         Replace many uses of String::format with more type-safe alternatives

Modified: trunk/Source/WebKit/WebProcess/UserContent/WebUserContentController.cpp (240577 => 240578)


--- trunk/Source/WebKit/WebProcess/UserContent/WebUserContentController.cpp	2019-01-28 09:46:20 UTC (rev 240577)
+++ trunk/Source/WebKit/WebProcess/UserContent/WebUserContentController.cpp	2019-01-28 13:15:03 UTC (rev 240578)
@@ -330,6 +330,8 @@
     if (it == m_userMessageHandlers.end())
         return;
 
+    auto protectedThis = makeRef(*this);
+
     auto& userMessageHandlers = it->value;
     bool userMessageHandlersChanged = userMessageHandlers.removeFirstMatching([userScriptMessageHandlerIdentifier](auto& pair) {
         return pair.first ==  userScriptMessageHandlerIdentifier;

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to