Changeset 195965 in webkit
- Timestamp:
- Feb 1, 2016 10:15:25 AM (8 years ago)
- Location:
- trunk/Source/WebCore
- Files:
-
- 2 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/Source/WebCore/ChangeLog
r195960 r195965 1 2016-02-01 Jer Noble <jer.noble@apple.com> 2 3 REGRESSION(r195770): Use-after-free in ResourceLoaderOptions::cachingPolicy 4 https://bugs.webkit.org/show_bug.cgi?id=153727 5 <rdar://problem/24429886> 6 7 Reviewed by Chris Dumez. 8 9 The `this` object may be freed after calling deleteIfPossible(). Make the early-return-if- 10 deleted more explicit, and only check allowsCaching() after the deleteIfPossible() return 11 value check. 12 13 * loader/cache/CachedResource.cpp: 14 (WebCore::CachedResource::removeClient): 15 1 16 2016-02-01 Dan Bernstein <mitz@apple.com> 2 17 -
trunk/Source/WebCore/loader/cache/CachedResource.cpp
r195770 r195965 483 483 } 484 484 485 bool deleted = deleteIfPossible(); 486 if (allowsCaching() && !deleted && !hasClients()) { 487 auto& memoryCache = MemoryCache::singleton(); 488 if (inCache()) { 489 memoryCache.removeFromLiveResourcesSize(*this); 490 memoryCache.removeFromLiveDecodedResourcesList(*this); 491 } 492 if (!m_switchingClientsToRevalidatedResource) 493 allClientsRemoved(); 494 destroyDecodedDataIfNeeded(); 495 if (response().cacheControlContainsNoStore() && url().protocolIs("https")) { 496 // RFC2616 14.9.2: 497 // "no-store: ... MUST make a best-effort attempt to remove the information from volatile storage as promptly as possible" 498 // "... History buffers MAY store such responses as part of their normal operation." 499 // We allow non-secure content to be reused in history, but we do not allow secure content to be reused. 500 memoryCache.remove(*this); 501 } 502 memoryCache.pruneSoon(); 503 } 504 // This object may be dead here. 485 if (deleteIfPossible()) { 486 // `this` object is dead here. 487 return; 488 } 489 490 if (!allowsCaching() || hasClients()) 491 return; 492 493 auto& memoryCache = MemoryCache::singleton(); 494 if (inCache()) { 495 memoryCache.removeFromLiveResourcesSize(*this); 496 memoryCache.removeFromLiveDecodedResourcesList(*this); 497 } 498 if (!m_switchingClientsToRevalidatedResource) 499 allClientsRemoved(); 500 destroyDecodedDataIfNeeded(); 501 if (response().cacheControlContainsNoStore() && url().protocolIs("https")) { 502 // RFC2616 14.9.2: 503 // "no-store: ... MUST make a best-effort attempt to remove the information from volatile storage as promptly as possible" 504 // "... History buffers MAY store such responses as part of their normal operation." 505 // We allow non-secure content to be reused in history, but we do not allow secure content to be reused. 506 memoryCache.remove(*this); 507 } 508 memoryCache.pruneSoon(); 505 509 } 506 510
Note: See TracChangeset
for help on using the changeset viewer.