[webkit-changes] [198471] trunk/Source/WebCore

Sat, 19 Mar 2016 12:00:42 -0700

Title: [198471] trunk/Source/WebCore
Revision
198471
Author
[email protected]
Date
2016-03-19 11:54:02 -0700 (Sat, 19 Mar 2016)

Log Message

Data URL DecodeTask may get deleted outside main thread
https://bugs.webkit.org/show_bug.cgi?id=155584
rdar://problem/24492104

Reviewed by David Kilzer.

Follow-up: fix a possible null pointer crash.

* platform/network/DataURLDecoder.cpp:
(WebCore::DataURLDecoder::DecodingResultDispatcher::startTimer):

    If timer fires under startOneShot m_decodeTask may become zero before schedule() is called.
    Fix by copying schedule context to a local before calling startOneShot.

Modified Paths

Diff

Modified: trunk/Source/WebCore/ChangeLog (198470 => 198471)


--- trunk/Source/WebCore/ChangeLog	2016-03-19 18:46:50 UTC (rev 198470)
+++ trunk/Source/WebCore/ChangeLog	2016-03-19 18:54:02 UTC (rev 198471)
@@ -1,3 +1,19 @@
+2016-03-19  Antti Koivisto  <[email protected]>
+
+        Data URL DecodeTask may get deleted outside main thread
+        https://bugs.webkit.org/show_bug.cgi?id=155584
+        rdar://problem/24492104
+
+        Reviewed by David Kilzer.
+
+        Follow-up: fix a possible null pointer crash.
+
+        * platform/network/DataURLDecoder.cpp:
+        (WebCore::DataURLDecoder::DecodingResultDispatcher::startTimer):
+
+            If timer fires under startOneShot m_decodeTask may become zero before schedule() is called.
+            Fix by copying schedule context to a local before calling startOneShot.
+
 2016-03-18  Zhuo Li  <[email protected]>
 
         Update AutoFill button in input fields.

Modified: trunk/Source/WebCore/platform/network/DataURLDecoder.cpp (198470 => 198471)


--- trunk/Source/WebCore/platform/network/DataURLDecoder.cpp	2016-03-19 18:46:50 UTC (rev 198470)
+++ trunk/Source/WebCore/platform/network/DataURLDecoder.cpp	2016-03-19 18:54:02 UTC (rev 198471)
@@ -75,8 +75,10 @@
     {
         // Keep alive until the timer has fired.
         ref();
+
+        auto scheduledPairs = m_decodeTask->scheduleContext.scheduledPairs;
         m_timer.startOneShot(0);
-        m_timer.schedule(m_decodeTask->scheduleContext.scheduledPairs);
+        m_timer.schedule(scheduledPairs);
     }
 
     void timerFired()

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to