Changeset 227758 in webkit

Timestamp:

Jan 29, 2018 3:17:13 PM (6 years ago)

Author:

achristensen@apple.com

Message:

Make policy checks more robust against null pointer dereferencing
​https://bugs.webkit.org/show_bug.cgi?id=182263
<rdar://problem/34895714>

Reviewed by Tim Horton.

We're still dereferencing null. Check everything.

• WebProcess/WebCoreSupport/WebFrameLoaderClient.cpp:

(WebKit::WebFrameLoaderClient::dispatchDecidePolicyForResponse):

Location:

trunk/Source/WebKit

Files:

• ChangeLog (modified) (1 diff)
• WebProcess/WebCoreSupport/WebFrameLoaderClient.cpp (modified) (1 diff)

trunk/Source/WebKit/ChangeLog

@@ +1 @@
+2018-01-29  Alex Christensen  <achristensen@webkit.org>
+
+        Make policy checks more robust against null pointer dereferencing
+        https://bugs.webkit.org/show_bug.cgi?id=182263
+        <rdar://problem/34895714>
+
+        Reviewed by Tim Horton.
+
+        We're still dereferencing null.  Check everything.
+
+        * WebProcess/WebCoreSupport/WebFrameLoaderClient.cpp:
+        (WebKit::WebFrameLoaderClient::dispatchDecidePolicyForResponse):
+
 2018-01-29  Brent Fulgham  <bfulgham@apple.com>
 

trunk/Source/WebKit/WebProcess/WebCoreSupport/WebFrameLoaderClient.cpp

@@ -749 +749 @@
     if (!coreFrame)
         return function(PolicyAction::Ignore);
-    auto navigationID = static_cast<WebDocumentLoader&>(*coreFrame->loader().provisionalDocumentLoader()).navigationID();
+    auto* policyDocumentLoader = coreFrame->loader().provisionalDocumentLoader();
+    if (!policyDocumentLoader)
+        return function(PolicyAction::Ignore);
+    auto navigationID = static_cast<WebDocumentLoader&>(*policyDocumentLoader).navigationID();
     if (!webPage->sendSync(Messages::WebPageProxy::DecidePolicyForResponseSync(m_frame->frameID(), SecurityOriginData::fromFrame(coreFrame), navigationID, response, request, canShowMIMEType, listenerID, UserData(WebProcess::singleton().transformObjectsToHandles(userData.get()).get())), Messages::WebPageProxy::DecidePolicyForResponseSync::Reply(receivedPolicyAction, policyAction, downloadID), Seconds::infinity(), IPC::SendSyncOption::InformPlatformProcessWillSuspend)) {
         m_frame->didReceivePolicyDecision(listenerID, PolicyAction::Ignore, 0, { }, { });