[webkit-changes] [151812] trunk

Thu, 20 Jun 2013 17:44:07 -0700

Title: [151812] trunk
Revision
151812
Author
[email protected]
Date
2013-06-20 17:44:38 -0700 (Thu, 20 Jun 2013)

Log Message

        https://bugs.webkit.org/show_bug.cgi?id=116495
        Fix null-pointer deref in DocumentLoader::responseReceived()

        Patch by Nate Chapin, reviewed by Mike West and myself.

        Test: http/tests/security/XFrameOptions/x-frame-options-deny-delete-frame-in-load-event.html

        * loader/DocumentLoader.cpp: (WebCore::DocumentLoader::responseReceived): Added
        a null check.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (151811 => 151812)


--- trunk/LayoutTests/ChangeLog	2013-06-20 23:43:04 UTC (rev 151811)
+++ trunk/LayoutTests/ChangeLog	2013-06-21 00:44:38 UTC (rev 151812)
@@ -1,3 +1,13 @@
+2013-06-20  Alexey Proskuryakov  <[email protected]>
+
+        https://bugs.webkit.org/show_bug.cgi?id=116495
+        Fix null-pointer deref in DocumentLoader::responseReceived()
+
+        Patch by Nate Chapin, reviewed by Mike West and myself.
+
+        * http/tests/security/XFrameOptions/x-frame-options-deny-delete-frame-in-load-event-expected.txt: Added.
+        * http/tests/security/XFrameOptions/x-frame-options-deny-delete-frame-in-load-event.html: Added.
+
 2013-06-20  Enrica Casucci  <[email protected]>
 
         Initial advance on the first glyph of the run is not correctly set for rtl text.

Added: trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-delete-frame-in-load-event-expected.txt (0 => 151812)


--- trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-delete-frame-in-load-event-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-delete-frame-in-load-event-expected.txt	2013-06-21 00:44:38 UTC (rev 151812)
@@ -0,0 +1,2 @@
+CONSOLE MESSAGE: Refused to display 'http://127.0.0.1:8000/security/XFrameOptions/resources/x-frame-options-deny.cgi' in a frame because it set 'X-Frame-Options' to 'deny'.
+Test that if an iframe is denied, we don't crash if the load event detaches the frame.
Property changes on: trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-delete-frame-in-load-event-expected.txt
___________________________________________________________________

Added: svn:mime-type

Added: svn:eol-style

Added: trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-delete-frame-in-load-event.html (0 => 151812)


--- trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-delete-frame-in-load-event.html	                        (rev 0)
+++ trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-delete-frame-in-load-event.html	2013-06-21 00:44:38 UTC (rev 151812)
@@ -0,0 +1,14 @@
+<script>
+    if (window.testRunner) {
+        testRunner.dumpAsText();
+        testRunner.waitUntilDone();
+    }
+
+    function loaded() {
+        document.body.removeChild(document.getElementById("i"));
+        if (window.testRunner)
+            testRunner.notifyDone();
+    }
+</script>
+Test that if an iframe is denied, we don't crash if the load event detaches the frame.
+<iframe id="i" src="" _onload_="loaded()"></iframe>
Property changes on: trunk/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-deny-delete-frame-in-load-event.html
___________________________________________________________________

Added: svn:mime-type

Modified: trunk/Source/WebCore/ChangeLog (151811 => 151812)


--- trunk/Source/WebCore/ChangeLog	2013-06-20 23:43:04 UTC (rev 151811)
+++ trunk/Source/WebCore/ChangeLog	2013-06-21 00:44:38 UTC (rev 151812)
@@ -1,3 +1,15 @@
+2013-06-20  Alexey Proskuryakov  <[email protected]>
+
+        https://bugs.webkit.org/show_bug.cgi?id=116495
+        Fix null-pointer deref in DocumentLoader::responseReceived()
+
+        Patch by Nate Chapin, reviewed by Mike West and myself.
+
+        Test: http/tests/security/XFrameOptions/x-frame-options-deny-delete-frame-in-load-event.html
+
+        * loader/DocumentLoader.cpp: (WebCore::DocumentLoader::responseReceived): Added
+        a null check.
+
 2013-06-20  Roger Fong  <[email protected]>
 
         Unreviewed. Roll out part of r150618.

Modified: trunk/Source/WebCore/loader/DocumentLoader.cpp (151811 => 151812)


--- trunk/Source/WebCore/loader/DocumentLoader.cpp	2013-06-20 23:43:04 UTC (rev 151811)
+++ trunk/Source/WebCore/loader/DocumentLoader.cpp	2013-06-21 00:44:38 UTC (rev 151812)
@@ -581,7 +581,10 @@
             frame()->document()->enforceSandboxFlags(SandboxOrigin);
             if (HTMLFrameOwnerElement* ownerElement = frame()->ownerElement())
                 ownerElement->dispatchEvent(Event::create(eventNames().loadEvent, false, false));
-            cancelMainResourceLoad(frameLoader()->cancelledError(m_request));
+
+            // The load event might have detached this frame. In that case, the load will already have been cancelled during detach.
+            if (frameLoader())
+                cancelMainResourceLoad(frameLoader()->cancelledError(m_request));
             return;
         }
     }

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to