Diff
Modified: releases/WebKitGTK/webkit-2.24/Source/WebKit/ChangeLog (248252 => 248253)
--- releases/WebKitGTK/webkit-2.24/Source/WebKit/ChangeLog 2019-08-04 03:24:02 UTC (rev 248252)
+++ releases/WebKitGTK/webkit-2.24/Source/WebKit/ChangeLog 2019-08-04 03:24:05 UTC (rev 248253)
@@ -1,5 +1,22 @@
2019-07-17 Carlos Garcia Campos <[email protected]>
+ [WPE][GTK] UI process crash due to NULL dereference in webkitWebViewResourceLoadStarted()
+ https://bugs.webkit.org/show_bug.cgi?id=199621
+
+ Reviewed by Michael Catanzaro.
+
+ Null-check frame received in injected bundle message to ensure the frame hasn't been destroyed.
+
+ * UIProcess/API/glib/WebKitInjectedBundleClient.cpp:
+ * UIProcess/API/glib/WebKitWebResource.cpp:
+ (webkitWebResourceCreate): Receive a reference to the frame instead of a pointer.
+ * UIProcess/API/glib/WebKitWebResourcePrivate.h:
+ * UIProcess/API/glib/WebKitWebView.cpp:
+ (webkitWebViewResourceLoadStarted): Ditto.
+ * UIProcess/API/glib/WebKitWebViewPrivate.h:
+
+2019-07-17 Carlos Garcia Campos <[email protected]>
+
[GTK][WPE] Do not assert when receiving invalid data in injected bundle messages
https://bugs.webkit.org/show_bug.cgi?id=199830
Modified: releases/WebKitGTK/webkit-2.24/Source/WebKit/UIProcess/API/glib/WebKitInjectedBundleClient.cpp (248252 => 248253)
--- releases/WebKitGTK/webkit-2.24/Source/WebKit/UIProcess/API/glib/WebKitInjectedBundleClient.cpp 2019-08-04 03:24:02 UTC (rev 248252)
+++ releases/WebKitGTK/webkit-2.24/Source/WebKit/UIProcess/API/glib/WebKitInjectedBundleClient.cpp 2019-08-04 03:24:05 UTC (rev 248253)
@@ -45,43 +45,70 @@
{
if (g_str_equal(messageName, "DidInitiateLoadForResource")) {
WebFrameProxy* frame = static_cast<WebFrameProxy*>(message.get(String::fromUTF8("Frame")));
+ if (!frame)
+ return;
+
API::UInt64* resourceIdentifier = static_cast<API::UInt64*>(message.get(String::fromUTF8("Identifier")));
+ if (!resourceIdentifier)
+ return;
+
API::URLRequest* webRequest = static_cast<API::URLRequest*>(message.get(String::fromUTF8("Request")));
+ if (!webRequest)
+ return;
+
GRefPtr<WebKitURIRequest> request = adoptGRef(webkitURIRequestCreateForResourceRequest(webRequest->resourceRequest()));
-
- webkitWebViewResourceLoadStarted(webView, frame, resourceIdentifier->value(), request.get());
+ webkitWebViewResourceLoadStarted(webView, *frame, resourceIdentifier->value(), request.get());
} else if (g_str_equal(messageName, "DidSendRequestForResource")) {
API::UInt64* resourceIdentifier = static_cast<API::UInt64*>(message.get(String::fromUTF8("Identifier")));
+ if (!resourceIdentifier)
+ return;
+
GRefPtr<WebKitWebResource> resource = webkitWebViewGetLoadingWebResource(webView, resourceIdentifier->value());
if (!resource)
return;
API::URLRequest* webRequest = static_cast<API::URLRequest*>(message.get(String::fromUTF8("Request")));
+ if (!webRequest)
+ return;
+
GRefPtr<WebKitURIRequest> request = adoptGRef(webkitURIRequestCreateForResourceRequest(webRequest->resourceRequest()));
API::URLResponse* webRedirectResponse = static_cast<API::URLResponse*>(message.get(String::fromUTF8("RedirectResponse")));
- GRefPtr<WebKitURIResponse> redirectResponse = webRedirectResponse ? adoptGRef(webkitURIResponseCreateForResourceResponse(webRedirectResponse->resourceResponse())) : 0;
-
+ GRefPtr<WebKitURIResponse> redirectResponse = webRedirectResponse ? adoptGRef(webkitURIResponseCreateForResourceResponse(webRedirectResponse->resourceResponse())) : nullptr;
webkitWebResourceSentRequest(resource.get(), request.get(), redirectResponse.get());
} else if (g_str_equal(messageName, "DidReceiveResponseForResource")) {
API::UInt64* resourceIdentifier = static_cast<API::UInt64*>(message.get(String::fromUTF8("Identifier")));
+ if (!resourceIdentifier)
+ return;
+
GRefPtr<WebKitWebResource> resource = webkitWebViewGetLoadingWebResource(webView, resourceIdentifier->value());
if (!resource)
return;
API::URLResponse* webResponse = static_cast<API::URLResponse*>(message.get(String::fromUTF8("Response")));
+ if (!webResponse)
+ return;
+
GRefPtr<WebKitURIResponse> response = adoptGRef(webkitURIResponseCreateForResourceResponse(webResponse->resourceResponse()));
-
webkitWebResourceSetResponse(resource.get(), response.get());
} else if (g_str_equal(messageName, "DidReceiveContentLengthForResource")) {
API::UInt64* resourceIdentifier = static_cast<API::UInt64*>(message.get(String::fromUTF8("Identifier")));
+ if (!resourceIdentifier)
+ return;
+
GRefPtr<WebKitWebResource> resource = webkitWebViewGetLoadingWebResource(webView, resourceIdentifier->value());
if (!resource)
return;
API::UInt64* contentLength = static_cast<API::UInt64*>(message.get(String::fromUTF8("ContentLength")));
+ if (!contentLength)
+ return;
+
webkitWebResourceNotifyProgress(resource.get(), contentLength->value());
} else if (g_str_equal(messageName, "DidFinishLoadForResource")) {
API::UInt64* resourceIdentifier = static_cast<API::UInt64*>(message.get(String::fromUTF8("Identifier")));
+ if (!resourceIdentifier)
+ return;
+
GRefPtr<WebKitWebResource> resource = webkitWebViewGetLoadingWebResource(webView, resourceIdentifier->value());
if (!resource)
return;
@@ -90,11 +117,17 @@
webkitWebViewRemoveLoadingWebResource(webView, resourceIdentifier->value());
} else if (g_str_equal(messageName, "DidFailLoadForResource")) {
API::UInt64* resourceIdentifier = static_cast<API::UInt64*>(message.get(String::fromUTF8("Identifier")));
+ if (!resourceIdentifier)
+ return;
+
GRefPtr<WebKitWebResource> resource = webkitWebViewGetLoadingWebResource(webView, resourceIdentifier->value());
if (!resource)
return;
API::Error* webError = static_cast<API::Error*>(message.get(String::fromUTF8("Error")));
+ if (!webError)
+ return;
+
const ResourceError& platformError = webError->platformError();
GUniquePtr<GError> resourceError(g_error_new_literal(g_quark_from_string(platformError.domain().utf8().data()),
toWebKitError(platformError.errorCode()), platformError.localizedDescription().utf8().data()));
@@ -107,6 +140,9 @@
#if PLATFORM(GTK)
} else if (g_str_equal(messageName, "DidGetSnapshot")) {
API::UInt64* callbackID = static_cast<API::UInt64*>(message.get("CallbackID"));
+ if (!callbackID)
+ return;
+
WebImage* image = static_cast<WebImage*>(message.get("Snapshot"));
webKitWebViewDidReceiveSnapshot(webView, callbackID->value(), image);
#endif
Modified: releases/WebKitGTK/webkit-2.24/Source/WebKit/UIProcess/API/glib/WebKitWebResource.cpp (248252 => 248253)
--- releases/WebKitGTK/webkit-2.24/Source/WebKit/UIProcess/API/glib/WebKitWebResource.cpp 2019-08-04 03:24:02 UTC (rev 248252)
+++ releases/WebKitGTK/webkit-2.24/Source/WebKit/UIProcess/API/glib/WebKitWebResource.cpp 2019-08-04 03:24:05 UTC (rev 248253)
@@ -230,11 +230,11 @@
g_object_notify(G_OBJECT(resource), "uri");
}
-WebKitWebResource* webkitWebResourceCreate(WebFrameProxy* frame, WebKitURIRequest* request, bool isMainResource)
+WebKitWebResource* webkitWebResourceCreate(WebFrameProxy& frame, WebKitURIRequest* request, bool isMainResource)
{
ASSERT(frame);
WebKitWebResource* resource = WEBKIT_WEB_RESOURCE(g_object_new(WEBKIT_TYPE_WEB_RESOURCE, NULL));
- resource->priv->frame = frame;
+ resource->priv->frame = &frame;
resource->priv->uri = webkit_uri_request_get_uri(request);
resource->priv->isMainResource = isMainResource;
return resource;
Modified: releases/WebKitGTK/webkit-2.24/Source/WebKit/UIProcess/API/glib/WebKitWebResourcePrivate.h (248252 => 248253)
--- releases/WebKitGTK/webkit-2.24/Source/WebKit/UIProcess/API/glib/WebKitWebResourcePrivate.h 2019-08-04 03:24:02 UTC (rev 248252)
+++ releases/WebKitGTK/webkit-2.24/Source/WebKit/UIProcess/API/glib/WebKitWebResourcePrivate.h 2019-08-04 03:24:05 UTC (rev 248253)
@@ -21,7 +21,7 @@
#include "WebKitWebResource.h"
-WebKitWebResource* webkitWebResourceCreate(WebKit::WebFrameProxy*, WebKitURIRequest*, bool isMainResource);
+WebKitWebResource* webkitWebResourceCreate(WebKit::WebFrameProxy&, WebKitURIRequest*, bool isMainResource);
void webkitWebResourceSentRequest(WebKitWebResource*, WebKitURIRequest*, WebKitURIResponse*);
void webkitWebResourceSetResponse(WebKitWebResource*, WebKitURIResponse*);
void webkitWebResourceNotifyProgress(WebKitWebResource*, guint64 bytesReceived);
Modified: releases/WebKitGTK/webkit-2.24/Source/WebKit/UIProcess/API/glib/WebKitWebView.cpp (248252 => 248253)
--- releases/WebKitGTK/webkit-2.24/Source/WebKit/UIProcess/API/glib/WebKitWebView.cpp 2019-08-04 03:24:02 UTC (rev 248252)
+++ releases/WebKitGTK/webkit-2.24/Source/WebKit/UIProcess/API/glib/WebKitWebView.cpp 2019-08-04 03:24:05 UTC (rev 248253)
@@ -2378,10 +2378,10 @@
}
#endif
-void webkitWebViewResourceLoadStarted(WebKitWebView* webView, WebFrameProxy* frame, uint64_t resourceIdentifier, WebKitURIRequest* request)
+void webkitWebViewResourceLoadStarted(WebKitWebView* webView, WebFrameProxy& frame, uint64_t resourceIdentifier, WebKitURIRequest* request)
{
WebKitWebViewPrivate* priv = webView->priv;
- bool isMainResource = frame->isMainFrame() && !priv->mainResource;
+ bool isMainResource = frame.isMainFrame() && !priv->mainResource;
WebKitWebResource* resource = webkitWebResourceCreate(frame, request, isMainResource);
if (isMainResource)
priv->mainResource = resource;
Modified: releases/WebKitGTK/webkit-2.24/Source/WebKit/UIProcess/API/glib/WebKitWebViewPrivate.h (248252 => 248253)
--- releases/WebKitGTK/webkit-2.24/Source/WebKit/UIProcess/API/glib/WebKitWebViewPrivate.h 2019-08-04 03:24:02 UTC (rev 248252)
+++ releases/WebKitGTK/webkit-2.24/Source/WebKit/UIProcess/API/glib/WebKitWebViewPrivate.h 2019-08-04 03:24:05 UTC (rev 248253)
@@ -69,7 +69,7 @@
void webkitWebViewMouseTargetChanged(WebKitWebView*, const WebKit::WebHitTestResultData&, OptionSet<WebKit::WebEvent::Modifier>);
void webkitWebViewHandleDownloadRequest(WebKitWebView*, WebKit::DownloadProxy*);
void webkitWebViewPrintFrame(WebKitWebView*, WebKit::WebFrameProxy*);
-void webkitWebViewResourceLoadStarted(WebKitWebView*, WebKit::WebFrameProxy*, uint64_t resourceIdentifier, WebKitURIRequest*);
+void webkitWebViewResourceLoadStarted(WebKitWebView*, WebKit::WebFrameProxy&, uint64_t resourceIdentifier, WebKitURIRequest*);
void webkitWebViewRunFileChooserRequest(WebKitWebView*, WebKitFileChooserRequest*);
WebKitWebResource* webkitWebViewGetLoadingWebResource(WebKitWebView*, uint64_t resourceIdentifier);
#if PLATFORM(GTK)
