Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 20af97e95c1f159d961225ec2322e467695c7bcf
https://github.com/WebKit/WebKit/commit/20af97e95c1f159d961225ec2322e467695c7bcf
Author: Chris Dumez <[email protected]>
Date: 2026-06-09 (Tue, 09 Jun 2026)
Changed paths:
M Source/WebKit/WebProcess/Storage/WebSWClientConnection.cpp
Log Message:
-----------
WebSWClientConnection::notifyRecordResponseBodyChunk uses a HashMap iterator
across an arbitrary callback
https://bugs.webkit.org/show_bug.cgi?id=316625
Reviewed by Youenn Fablet.
WebSWClientConnection::notifyRecordResponseBodyChunk found an entry in
m_retrieveRecordResponseBodyCallbacks, invoked the stored Function<> via
the iterator, and only afterwards called m_retrieveRecordResponseBodyCallbacks
.remove(iterator). The Function is the body-loader callback registered by
BackgroundFetchResponseBodyLoader, which feeds data into a FetchResponse
body / ReadableStream. If anything reachable from that callback synchronously
re-enters retrieveRecordResponseBody (which calls
m_retrieveRecordResponseBodyCallbacks.add(...)) the HashMap may rehash,
invalidating both the in-flight reference returned by iterator->value and
the iterator subsequently passed to remove() — a classic
iterator-after-callback use-after-free.
The sibling handler notifyRecordResponseBodyEnd already uses the safe
take()-then-invoke pattern. Apply the same pattern here: take the callback
out of the map before invoking it, then re-add it for the streaming
(non-terminal) case so subsequent chunks can still reach it.
* Source/WebKit/WebProcess/Storage/WebSWClientConnection.cpp:
(WebKit::WebSWClientConnection::notifyRecordResponseBodyChunk):
Canonical link: https://commits.webkit.org/314860@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
