Title: [145656] branches/safari-536.30-branch/Source/WebCore
- Revision
- 145656
- Author
- [email protected]
- Date
- 2013-03-12 18:24:45 -0700 (Tue, 12 Mar 2013)
Log Message
Merged r139551. <rdar://problem/13334836>
Modified Paths
Diff
Modified: branches/safari-536.30-branch/Source/WebCore/ChangeLog (145655 => 145656)
--- branches/safari-536.30-branch/Source/WebCore/ChangeLog 2013-03-13 01:23:01 UTC (rev 145655)
+++ branches/safari-536.30-branch/Source/WebCore/ChangeLog 2013-03-13 01:24:45 UTC (rev 145656)
@@ -1,5 +1,26 @@
2013-03-12 Lucas Forschler <[email protected]>
+ Merge r139551
+
+ 2013-01-12 Gavin Peters <[email protected]>
+
+ Regression(r119759): Heap-use-after-free in webkit_glue::WebURLLoaderImpl::Context::OnReceivedResponse
+ https://bugs.webkit.org/show_bug.cgi?id=103563
+
+ A subresource could receive a body on a 404 if its call to CachedResource::error() resulted in a nested message loop.
+ That caused a crash when data was received, as the Subresource was in the Finished state already. Now when receiving
+ data we ignore these bodies, avoiding the crash.
+
+ Reviewed by Nate Chapin.
+
+ No new tests in WebKit, since it required a nested message loop which isn't present in chromium DumpRender tree.
+ There's a Chrome side browser test, see https://codereview.chromium.org/11778083/
+
+ * loader/SubresourceLoader.cpp:
+ (WebCore::SubresourceLoader::checkForHTTPStatusCodeError):
+
+2013-03-12 Lucas Forschler <[email protected]>
+
Merge r139457
2013-01-11 Florin Malita <[email protected]>
Modified: branches/safari-536.30-branch/Source/WebCore/loader/SubresourceLoader.cpp (145655 => 145656)
--- branches/safari-536.30-branch/Source/WebCore/loader/SubresourceLoader.cpp 2013-03-13 01:23:01 UTC (rev 145655)
+++ branches/safari-536.30-branch/Source/WebCore/loader/SubresourceLoader.cpp 2013-03-13 01:24:45 UTC (rev 145656)
@@ -213,6 +213,8 @@
void SubresourceLoader::didReceiveData(const char* data, int length, long long encodedDataLength, bool allAtOnce)
{
+ if (m_resource->response().httpStatusCode() >= 400 && !m_resource->shouldIgnoreHTTPStatusCodeErrors())
+ return;
ASSERT(!m_resource->resourceToRevalidate());
ASSERT(!m_resource->errorOccurred());
ASSERT(m_state == Initialized);
@@ -232,8 +234,8 @@
if (m_resource->response().httpStatusCode() < 400 || m_resource->shouldIgnoreHTTPStatusCodeErrors())
return false;
+ m_state = Finishing;
m_resource->error(CachedResource::LoadError);
- m_state = Finishing;
cancel();
return true;
}
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
