Title: [259305] trunk/Source/WebCore
- Revision
- 259305
- Author
- [email protected]
- Date
- 2020-03-31 12:56:26 -0700 (Tue, 31 Mar 2020)
Log Message
Invalid memory access @ WebCore::FrameLoader::dispatchDidCommitLoad
https://bugs.webkit.org/show_bug.cgi?id=209786
Patch by Pinki Gyanchandani <[email protected]> on 2020-03-31
Reviewed by Ryosuke Niwa.
No new tests. Reduced test would be added later. Currently issue is verified with the original testcase in associated radar-58416328.
Webkit1 only issue, where m_client.dispatchDidCommitLoad in FrameLoader::dispatchDidCommitLoad could cause the frame
to be destroyed, and m_frame still being accessed outside. Changes made to protect the DocumentLoader and Frame.
* loader/DocumentLoader.cpp:
(WebCore::DocumentLoader::finishedLoading):
(WebCore::DocumentLoader::handleSubstituteDataLoadNow):
* loader/FrameLoader.cpp:
(WebCore::FrameLoader::receivedFirstData):
Modified Paths
Diff
Modified: trunk/Source/WebCore/ChangeLog (259304 => 259305)
--- trunk/Source/WebCore/ChangeLog 2020-03-31 19:55:33 UTC (rev 259304)
+++ trunk/Source/WebCore/ChangeLog 2020-03-31 19:56:26 UTC (rev 259305)
@@ -1,3 +1,21 @@
+2020-03-31 Pinki Gyanchandani <[email protected]>
+
+ Invalid memory access @ WebCore::FrameLoader::dispatchDidCommitLoad
+ https://bugs.webkit.org/show_bug.cgi?id=209786
+
+ Reviewed by Ryosuke Niwa.
+
+ No new tests. Reduced test would be added later. Currently issue is verified with the original testcase in associated radar-58416328.
+
+ Webkit1 only issue, where m_client.dispatchDidCommitLoad in FrameLoader::dispatchDidCommitLoad could cause the frame
+ to be destroyed, and m_frame still being accessed outside. Changes made to protect the DocumentLoader and Frame.
+
+ * loader/DocumentLoader.cpp:
+ (WebCore::DocumentLoader::finishedLoading):
+ (WebCore::DocumentLoader::handleSubstituteDataLoadNow):
+ * loader/FrameLoader.cpp:
+ (WebCore::FrameLoader::receivedFirstData):
+
2020-03-31 Lauro Moura <[email protected]>
Buildfix after r259928.
Modified: trunk/Source/WebCore/loader/DocumentLoader.cpp (259304 => 259305)
--- trunk/Source/WebCore/loader/DocumentLoader.cpp 2020-03-31 19:55:33 UTC (rev 259304)
+++ trunk/Source/WebCore/loader/DocumentLoader.cpp 2020-03-31 19:56:26 UTC (rev 259305)
@@ -443,6 +443,9 @@
// DocumentWriter::begin() gets called and creates the Document.
if (!m_gotFirstByte)
commitData(0, 0);
+
+ if (!frameLoader())
+ return;
frameLoader()->client().finishedLoading(this);
}
@@ -479,6 +482,8 @@
void DocumentLoader::handleSubstituteDataLoadNow()
{
+ Ref<DocumentLoader> protectedThis = makeRef(*this);
+
ResourceResponse response = m_substituteData.response();
if (response.url().isEmpty())
response = ResourceResponse(m_request.url(), m_substituteData.mimeType(), m_substituteData.content()->size(), m_substituteData.textEncoding());
Modified: trunk/Source/WebCore/loader/FrameLoader.cpp (259304 => 259305)
--- trunk/Source/WebCore/loader/FrameLoader.cpp 2020-03-31 19:55:33 UTC (rev 259304)
+++ trunk/Source/WebCore/loader/FrameLoader.cpp 2020-03-31 19:56:26 UTC (rev 259305)
@@ -706,6 +706,8 @@
void FrameLoader::receivedFirstData()
{
+ auto protectedFrame = makeRef(m_frame);
+
dispatchDidCommitLoad(WTF::nullopt, WTF::nullopt);
dispatchDidClearWindowObjectsInAllWorlds();
dispatchGlobalObjectAvailableInAllWorlds();
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
