Changeset 121160 in webkit

Timestamp:

Jun 25, 2012 9:30:49 AM (12 years ago)

Author:

kinuko@chromium.org

Message:

Heap-use-after-free in WebKit::MainThreadFileSystemCallbacks
​https://bugs.webkit.org/show_bug.cgi?id=87019

Reviewed by David Levin.

Should not access the CallbacksBridge's member field after it's freed.

• src/WorkerFileSystemCallbacksBridge.cpp:

(WebKit::WorkerFileSystemCallbacksBridge::cleanUpAfterCallback):

Location:

trunk/Source/WebKit/chromium

Files:

• ChangeLog (modified) (1 diff)
• src/WorkerFileSystemCallbacksBridge.cpp (modified) (1 diff)

trunk/Source/WebKit/chromium/ChangeLog

@@ +1 @@
+2012-06-25  Kinuko Yasuda  <kinuko@chromium.org>
+
+        Heap-use-after-free in WebKit::MainThreadFileSystemCallbacks
+        https://bugs.webkit.org/show_bug.cgi?id=87019
+
+        Reviewed by David Levin.
+
+        Should not access the CallbacksBridge's member field after it's freed.
+
+        * src/WorkerFileSystemCallbacksBridge.cpp:
+        (WebKit::WorkerFileSystemCallbacksBridge::cleanUpAfterCallback):
+
 2012-06-24  Luke Macpherson  <macpherson@chromium.org>
 

trunk/Source/WebKit/chromium/src/WorkerFileSystemCallbacksBridge.cpp

@@ -188 +188 @@
     m_callbacksOnWorkerThread = 0;
     if (m_workerContextObserver) {
-        delete m_workerContextObserver;
+        WorkerFileSystemContextObserver* observer = m_workerContextObserver;
         m_workerContextObserver = 0;
+        // The next line may delete this.
+        delete observer;
     }
 }