Changeset 195965 in webkit


Ignore:
Timestamp:
Feb 1, 2016 10:15:25 AM (8 years ago)
Author:
jer.noble@apple.com
Message:

REGRESSION(r195770): Use-after-free in ResourceLoaderOptions::cachingPolicy
https://bugs.webkit.org/show_bug.cgi?id=153727
<rdar://problem/24429886>

Reviewed by Chris Dumez.

The this object may be freed after calling deleteIfPossible(). Make the early-return-if-
deleted more explicit, and only check allowsCaching() after the deleteIfPossible() return
value check.

  • loader/cache/CachedResource.cpp:

(WebCore::CachedResource::removeClient):

Location:
trunk/Source/WebCore
Files:
2 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/WebCore/ChangeLog

    r195960 r195965  
     12016-02-01  Jer Noble  <jer.noble@apple.com>
     2
     3        REGRESSION(r195770): Use-after-free in ResourceLoaderOptions::cachingPolicy
     4        https://bugs.webkit.org/show_bug.cgi?id=153727
     5        <rdar://problem/24429886>
     6
     7        Reviewed by Chris Dumez.
     8
     9        The `this` object may be freed after calling deleteIfPossible(). Make the early-return-if-
     10        deleted more explicit, and only check allowsCaching() after the deleteIfPossible() return
     11        value check.
     12
     13        * loader/cache/CachedResource.cpp:
     14        (WebCore::CachedResource::removeClient):
     15
    1162016-02-01  Dan Bernstein  <mitz@apple.com>
    217

  • trunk/Source/WebCore/loader/cache/CachedResource.cpp

    r195770 r195965  
    483483    }
    484484
    485     bool deleted = deleteIfPossible();
    486     if (allowsCaching() && !deleted && !hasClients()) {
    487         auto& memoryCache = MemoryCache::singleton();
    488         if (inCache()) {
    489             memoryCache.removeFromLiveResourcesSize(*this);
    490             memoryCache.removeFromLiveDecodedResourcesList(*this);
    491         }
    492         if (!m_switchingClientsToRevalidatedResource)
    493             allClientsRemoved();
    494         destroyDecodedDataIfNeeded();
    495         if (response().cacheControlContainsNoStore() && url().protocolIs("https")) {
    496             // RFC2616 14.9.2:
    497             // "no-store: ... MUST make a best-effort attempt to remove the information from volatile storage as promptly as possible"
    498             // "... History buffers MAY store such responses as part of their normal operation."
    499             // We allow non-secure content to be reused in history, but we do not allow secure content to be reused.
    500             memoryCache.remove(*this);
    501         }
    502         memoryCache.pruneSoon();
    503     }
    504     // This object may be dead here.
     485    if (deleteIfPossible()) {
     486        // `this` object is dead here.
     487        return;
     488    }
     489
     490    if (!allowsCaching() || hasClients())
     491        return;
     492
     493    auto& memoryCache = MemoryCache::singleton();
     494    if (inCache()) {
     495        memoryCache.removeFromLiveResourcesSize(*this);
     496        memoryCache.removeFromLiveDecodedResourcesList(*this);
     497    }
     498    if (!m_switchingClientsToRevalidatedResource)
     499        allClientsRemoved();
     500    destroyDecodedDataIfNeeded();
     501    if (response().cacheControlContainsNoStore() && url().protocolIs("https")) {
     502        // RFC2616 14.9.2:
     503        // "no-store: ... MUST make a best-effort attempt to remove the information from volatile storage as promptly as possible"
     504        // "... History buffers MAY store such responses as part of their normal operation."
     505        // We allow non-secure content to be reused in history, but we do not allow secure content to be reused.
     506        memoryCache.remove(*this);
     507    }
     508    memoryCache.pruneSoon();
    505509}
    506510
Note: See TracChangeset for help on using the changeset viewer.