Title: [139551] trunk/Source/WebCore
- Revision
- 139551
- Author
- [email protected]
- Date
- 2013-01-12 10:05:19 -0800 (Sat, 12 Jan 2013)
Log Message
Regression(r119759): Heap-use-after-free in webkit_glue::WebURLLoaderImpl::Context::OnReceivedResponse
https://bugs.webkit.org/show_bug.cgi?id=103563
A subresource could receive a body on a 404 if its call to CachedResource::error() resulted in a nested message loop.
That caused a crash when data was received, as the Subresource was in the Finished state already. Now when receiving
data we ignore these bodies, avoiding the crash.
Reviewed by Nate Chapin.
No new tests in WebKit, since it required a nested message loop which isn't present in chromium DumpRender tree.
There's a Chrome side browser test, see https://codereview.chromium.org/11778083/
* loader/SubresourceLoader.cpp:
(WebCore::SubresourceLoader::checkForHTTPStatusCodeError):
Modified Paths
Diff
Modified: trunk/Source/WebCore/ChangeLog (139550 => 139551)
--- trunk/Source/WebCore/ChangeLog 2013-01-12 14:53:03 UTC (rev 139550)
+++ trunk/Source/WebCore/ChangeLog 2013-01-12 18:05:19 UTC (rev 139551)
@@ -1,3 +1,20 @@
+2013-01-12 Gavin Peters <[email protected]>
+
+ Regression(r119759): Heap-use-after-free in webkit_glue::WebURLLoaderImpl::Context::OnReceivedResponse
+ https://bugs.webkit.org/show_bug.cgi?id=103563
+
+ A subresource could receive a body on a 404 if its call to CachedResource::error() resulted in a nested message loop.
+ That caused a crash when data was received, as the Subresource was in the Finished state already. Now when receiving
+ data we ignore these bodies, avoiding the crash.
+
+ Reviewed by Nate Chapin.
+
+ No new tests in WebKit, since it required a nested message loop which isn't present in chromium DumpRender tree.
+ There's a Chrome side browser test, see https://codereview.chromium.org/11778083/
+
+ * loader/SubresourceLoader.cpp:
+ (WebCore::SubresourceLoader::checkForHTTPStatusCodeError):
+
2013-01-12 Robert Hogan <[email protected]>
Available height should respect min and max height
Modified: trunk/Source/WebCore/loader/SubresourceLoader.cpp (139550 => 139551)
--- trunk/Source/WebCore/loader/SubresourceLoader.cpp 2013-01-12 14:53:03 UTC (rev 139550)
+++ trunk/Source/WebCore/loader/SubresourceLoader.cpp 2013-01-12 18:05:19 UTC (rev 139551)
@@ -214,6 +214,8 @@
void SubresourceLoader::didReceiveData(const char* data, int length, long long encodedDataLength, bool allAtOnce)
{
+ if (m_resource->response().httpStatusCode() >= 400 && !m_resource->shouldIgnoreHTTPStatusCodeErrors())
+ return;
ASSERT(!m_resource->resourceToRevalidate());
ASSERT(!m_resource->errorOccurred());
ASSERT(m_state == Initialized);
@@ -232,8 +234,8 @@
if (m_resource->response().httpStatusCode() < 400 || m_resource->shouldIgnoreHTTPStatusCodeErrors())
return false;
+ m_state = Finishing;
m_resource->error(CachedResource::LoadError);
- m_state = Finishing;
cancel();
return true;
}
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo/webkit-changes
