Changeset 196367 in webkit

Timestamp:

Feb 10, 2016 9:23:22 AM (8 years ago)

Author:

jer.noble@apple.com

Message:

REGRESSION(r195770): Use-after-free in ResourceLoaderOptions::cachingPolicy
​https://bugs.webkit.org/show_bug.cgi?id=153727
<rdar://problem/24429886>

Reviewed by Darin Adler.

Follow-up after r195965. Only protect those parts of CachedResource::removeClient() which
affect the MemoryCache when allowsCaching() is false.

• loader/cache/CachedResource.cpp:

(WebCore::CachedResource::removeClient):

Location:

trunk/Source/WebCore

Files:

• ChangeLog (modified) (1 diff)
• loader/cache/CachedResource.cpp (modified) (2 diffs)

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2016-02-10  Jer Noble  <jer.noble@apple.com>
+
+        REGRESSION(r195770): Use-after-free in ResourceLoaderOptions::cachingPolicy
+        https://bugs.webkit.org/show_bug.cgi?id=153727
+        <rdar://problem/24429886>
+
+        Reviewed by Darin Adler.
+
+        Follow-up after r195965. Only protect those parts of CachedResource::removeClient() which
+        affect the MemoryCache when allowsCaching() is false.
+
+        * loader/cache/CachedResource.cpp:
+        (WebCore::CachedResource::removeClient):
+
 2016-02-10  Csaba Osztrogonác  <ossy@webkit.org>
 

trunk/Source/WebCore/loader/cache/CachedResource.cpp

@@ -488 +488 @@
     }
 
-    if (!allowsCaching() || hasClients())
+    if (hasClients())
         return;
 
     auto& memoryCache = MemoryCache::singleton();
-    if (inCache()) {
+    if (allowsCaching() && inCache()) {
         memoryCache.removeFromLiveResourcesSize(*this);
         memoryCache.removeFromLiveDecodedResourcesList(*this);
@@ -499 +499 @@
         allClientsRemoved();
     destroyDecodedDataIfNeeded();
+
+    if (!allowsCaching())
+        return;
+
     if (response().cacheControlContainsNoStore() && url().protocolIs("https")) {
         // RFC2616 14.9.2: