Changeset 151812 in webkit


Ignore:
Timestamp:
Jun 20, 2013 5:44:38 PM (11 years ago)
Author:
ap@apple.com
Message:

https://bugs.webkit.org/show_bug.cgi?id=116495
Fix null-pointer deref in DocumentLoader::responseReceived()

Patch by Nate Chapin, reviewed by Mike West and myself.

Test: http/tests/security/XFrameOptions/x-frame-options-deny-delete-frame-in-load-event.html

  • loader/DocumentLoader.cpp: (WebCore::DocumentLoader::responseReceived): Added a null check.
Location:
trunk
Files:
2 added
3 edited

Legend:

Unmodified
Added
Removed

  • trunk/LayoutTests/ChangeLog

    r151807 r151812  
     12013-06-20  Alexey Proskuryakov  <ap@apple.com>
     2
     3        https://bugs.webkit.org/show_bug.cgi?id=116495
     4        Fix null-pointer deref in DocumentLoader::responseReceived()
     5
     6        Patch by Nate Chapin, reviewed by Mike West and myself.
     7
     8        * http/tests/security/XFrameOptions/x-frame-options-deny-delete-frame-in-load-event-expected.txt: Added.
     9        * http/tests/security/XFrameOptions/x-frame-options-deny-delete-frame-in-load-event.html: Added.
     10
    1112013-06-20  Enrica Casucci  <enrica@apple.com>
    212

  • trunk/Source/WebCore/ChangeLog

    r151811 r151812  
     12013-06-20  Alexey Proskuryakov  <ap@apple.com>
     2
     3        https://bugs.webkit.org/show_bug.cgi?id=116495
     4        Fix null-pointer deref in DocumentLoader::responseReceived()
     5
     6        Patch by Nate Chapin, reviewed by Mike West and myself.
     7
     8        Test: http/tests/security/XFrameOptions/x-frame-options-deny-delete-frame-in-load-event.html
     9
     10        * loader/DocumentLoader.cpp: (WebCore::DocumentLoader::responseReceived): Added
     11        a null check.
     12
    1132013-06-20  Roger Fong  <roger_fong@apple.com>
    214

  • trunk/Source/WebCore/loader/DocumentLoader.cpp

    r151099 r151812  
    582582            if (HTMLFrameOwnerElement* ownerElement = frame()->ownerElement())
    583583                ownerElement->dispatchEvent(Event::create(eventNames().loadEvent, false, false));
    584             cancelMainResourceLoad(frameLoader()->cancelledError(m_request));
     584
     585            // The load event might have detached this frame. In that case, the load will already have been cancelled during detach.
     586            if (frameLoader())
     587                cancelMainResourceLoad(frameLoader()->cancelledError(m_request));
    585588            return;
    586589        }
Note: See TracChangeset for help on using the changeset viewer.