[webkit-changes] [122757] trunk/Source/WebKit/blackberry

[commit-queue]

Title: [122757] trunk/Source/WebKit/blackberry

Revision

122757

Author

commit-qu...@webkit.org

Date

2012-07-16 13:44:47 -0700 (Mon, 16 Jul 2012)

Log Message

Any webpage can crash webkit via qnx.callExtensionMethod assuming 'this' is the 'qnx' object.
https://bugs.webkit.org/show_bug.cgi?id=91419

Run the following in inspector to crash WebKit

qnx.callExtensionMethod.apply(window, []);

In the c++ that handles the function it assumes that when callExtensionMethod
is called that 'this' is the object 'qnx'.  The qnx object has a hidden
variable that the code casts and uses, but when 'this' is not qnx such as the
example this will cause a crash.  Any website can insert the above _javascript_
to cause the crash.

Patch by Benjamin C Meyer <bme...@rim.com> on 2012-07-16
Reviewed by Yong Li.

* WebCoreSupport/ClientExtension.cpp:
(clientExtensionMethod):

Modified Paths

• trunk/Source/WebKit/blackberry/ChangeLog
• trunk/Source/WebKit/blackberry/WebCoreSupport/ClientExtension.cpp

Diff

Modified: trunk/Source/WebKit/blackberry/ChangeLog (122756 => 122757)

--- trunk/Source/WebKit/blackberry/ChangeLog	2012-07-16 20:39:12 UTC (rev 122756)
+++ trunk/Source/WebKit/blackberry/ChangeLog	2012-07-16 20:44:47 UTC (rev 122757)
@@ -1,3 +1,23 @@
+2012-07-16  Benjamin C Meyer  <bme...@rim.com>
+
+        Any webpage can crash webkit via qnx.callExtensionMethod assuming 'this' is the 'qnx' object.
+        https://bugs.webkit.org/show_bug.cgi?id=91419
+
+        Run the following in inspector to crash WebKit
+
+        qnx.callExtensionMethod.apply(window, []);
+
+        In the c++ that handles the function it assumes that when callExtensionMethod
+        is called that 'this' is the object 'qnx'.  The qnx object has a hidden
+        variable that the code casts and uses, but when 'this' is not qnx such as the
+        example this will cause a crash.  Any website can insert the above _javascript_
+        to cause the crash.
+
+        Reviewed by Yong Li.
+
+        * WebCoreSupport/ClientExtension.cpp:
+        (clientExtensionMethod):
+
 2012-07-16  Yong Li  <y...@rim.com>
 
         [BlackBerry] Improve about:memory page

Modified: trunk/Source/WebKit/blackberry/WebCoreSupport/ClientExtension.cpp (122756 => 122757)

--- trunk/Source/WebKit/blackberry/WebCoreSupport/ClientExtension.cpp	2012-07-16 20:39:12 UTC (rev 122756)
+++ trunk/Source/WebKit/blackberry/WebCoreSupport/ClientExtension.cpp	2012-07-16 20:44:47 UTC (rev 122757)
@@ -50,7 +50,9 @@
     }
 
     WebPageClient* client = reinterpret_cast<WebPageClient*>(JSObjectGetPrivate(thisObject));
-    string retVal = client->invokeClientJavaScriptCallback(strArgs, argumentCount).utf8();
+    string retVal;
+    if (client)
+        retVal = client->invokeClientJavaScriptCallback(strArgs, argumentCount).utf8();
     if (!retVal.empty())
         jsRetVal = JSValueMakeString(ctx, JSStringCreateWithUTF8CString(retVal.c_str()));
 

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo/webkit-changes