Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: e68882fc2467c39df45691156138231f20b31bbc
https://github.com/WebKit/WebKit/commit/e68882fc2467c39df45691156138231f20b31bbc
Author: Chris Dumez <[email protected]>
Date: 2023-10-24 (Tue, 24 Oct 2023)
Changed paths:
M Source/WTF/wtf/URL.h
M Tools/TestWebKitAPI/Tests/WTF/URL.cpp
Log Message:
-----------
The URL move constructor doesn't invalidate the "moved-out" URL
https://bugs.webkit.org/show_bug.cgi?id=263615
Reviewed by Ryosuke Niwa.
The URL move constructor doesn't invalidate the "moved-out" URL. This can lead
WebKit code to do weird things.
For example, URLKeepingBlobAlive contains a m_url data member and is often
moved-out to pass to a lambda. The destructor of the "moved-out"
URLKeepingBlobAlive then runs and calls `unregisterBlobURLHandleIfNecessary()`.
`unregisterBlobURLHandleIfNecessary()` will try to use m_url after it's been
moved out to see if the URL protocol is "blob". This causes URL::protocolIs()
to try to do out-of-bound access in the underlying String (since the URL is
marked as valid, even though it's m_string was moved out and other data members
that are indexes into that string were not reset). Luckily, String's operator[]
just returns nil when doing an out of bounds access at the moment.
* Source/WTF/wtf/URL.h:
(WTF::URL::URL):
(WTF::URL::operator=):
* Tools/TestWebKitAPI/Tests/WTF/URL.cpp:
(TestWebKitAPI::TEST_F):
Canonical link: https://commits.webkit.org/269750@main
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
