Changeset 207443 in webkit


Ignore:
Timestamp:
Oct 17, 2016 5:28:34 PM (7 years ago)
Author:
aestes@apple.com
Message:

Crash in ASCIICaseInsensitiveHash::hash() when a response has a null MIME type
https://bugs.webkit.org/show_bug.cgi?id=163476
<rdar://problem/26941395>

Reviewed by Tim Horton.

Source/WebKit2:

When custom content providers are registered and a response has a null MIME type, WebPage
will pass a null String to HashSet::contains(). This results in a null pointer dereference,
since the String hash functions do not support null Strings and unconditionally dereference
their StringImpls. Fixed by checking that Strings are non-null before calling
HashSet::contains() on m_mimeTypesWithCustomContentProviders.

Rearranging WebPage::shouldUseCustomContentProviderForResponse() to call
canPluginHandleResponse() before checking m_mimeTypesWithCustomContentProviders uncovered a
crash in existing layout tests where WebPage::m_mainFrame can be NULL during WebPage
construction (m_mainFrame isn't yet initialized). Fixed this by passing the main Frame to
canPluginHandleResponseInFrame() instead of relying on m_mainFrame.

New API test: WebKit2.LoadDataWithNilMIMEType.

  • WebProcess/WebCoreSupport/WebFrameLoaderClient.cpp:

(WebKit::WebFrameLoaderClient::transitionToCommittedFromCachedFrame): Passed
m_frame->coreFrame() to shouldUseCustomContentProviderForResponse().
(WebKit::WebFrameLoaderClient::transitionToCommittedForNewPage): Ditto.

  • WebProcess/WebPage/WebPage.cpp:

(WebKit::WebPage::canPluginHandleResponse): Added a mainFrame parameter and used it instead
of m_mainFrame->coreFrame().
(WebKit::WebPage::shouldUseCustomContentProviderForResponse): Passed mainFrame to
canPluginHandleResponse(), and checked if mimeType is null before calling
m_mimeTypesWithCustomContentProviders.contains().
(WebKit::WebPage::canShowMIMEType): Checked if MIMEType is null before calling
m_mimeTypesWithCustomContentProviders.contains().

  • WebProcess/WebPage/WebPage.h: Made canPluginHandleResponse() a private declaration.

Tools:

  • TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj:
  • TestWebKitAPI/Tests/WebKit2Cocoa/LoadDataWithNilMIMEType.mm: Added.

(TEST): Added an API test that passes a nil MIMEType to
-[WKWebView loadData:MIMEType:characterEncodingName:baseURL:].

Location:
trunk
Files:
1 added
6 edited

Legend:

Unmodified
Added
Removed
  • trunk/Source/WebKit2/ChangeLog

    r207441 r207443  
     12016-10-17  Andy Estes  <aestes@apple.com>
     2
     3        Crash in ASCIICaseInsensitiveHash::hash() when a response has a null MIME type
     4        https://bugs.webkit.org/show_bug.cgi?id=163476
     5        <rdar://problem/26941395>
     6
     7        Reviewed by Tim Horton.
     8
     9        When custom content providers are registered and a response has a null MIME type, WebPage
     10        will pass a null String to HashSet::contains(). This results in a null pointer dereference,
     11        since the String hash functions do not support null Strings and unconditionally dereference
     12        their StringImpls. Fixed by checking that Strings are non-null before calling
     13        HashSet::contains() on m_mimeTypesWithCustomContentProviders.
     14
     15        Rearranging WebPage::shouldUseCustomContentProviderForResponse() to call
     16        canPluginHandleResponse() before checking m_mimeTypesWithCustomContentProviders uncovered a
     17        crash in existing layout tests where WebPage::m_mainFrame can be NULL during WebPage
     18        construction (m_mainFrame isn't yet initialized). Fixed this by passing the main Frame to
     19        canPluginHandleResponseInFrame() instead of relying on m_mainFrame.
     20
     21        New API test: WebKit2.LoadDataWithNilMIMEType.
     22
     23        * WebProcess/WebCoreSupport/WebFrameLoaderClient.cpp:
     24        (WebKit::WebFrameLoaderClient::transitionToCommittedFromCachedFrame): Passed
     25        m_frame->coreFrame() to shouldUseCustomContentProviderForResponse().
     26        (WebKit::WebFrameLoaderClient::transitionToCommittedForNewPage): Ditto.
     27        * WebProcess/WebPage/WebPage.cpp:
     28        (WebKit::WebPage::canPluginHandleResponse): Added a mainFrame parameter and used it instead
     29        of m_mainFrame->coreFrame().
     30        (WebKit::WebPage::shouldUseCustomContentProviderForResponse): Passed mainFrame to
     31        canPluginHandleResponse(), and checked if mimeType is null before calling
     32        m_mimeTypesWithCustomContentProviders.contains().
     33        (WebKit::WebPage::canShowMIMEType): Checked if MIMEType is null before calling
     34        m_mimeTypesWithCustomContentProviders.contains().
     35        * WebProcess/WebPage/WebPage.h: Made canPluginHandleResponse() a private declaration.
     36
    1372016-10-17  Chris Dumez  <cdumez@apple.com>
    238
  • trunk/Source/WebKit2/WebProcess/WebCoreSupport/WebFrameLoaderClient.cpp

    r206006 r207443  
    12951295void WebFrameLoaderClient::transitionToCommittedFromCachedFrame(CachedFrame*)
    12961296{
    1297     const ResourceResponse& response = m_frame->coreFrame()->loader().documentLoader()->response();
    1298     m_frameHasCustomContentProvider = m_frame->isMainFrame() && m_frame->page()->shouldUseCustomContentProviderForResponse(response);
     1297    auto& coreFrame = *m_frame->coreFrame();
     1298    const ResourceResponse& response = coreFrame.loader().documentLoader()->response();
     1299    m_frameHasCustomContentProvider = m_frame->isMainFrame() && m_frame->page()->shouldUseCustomContentProviderForResponse(response, coreFrame);
    12991300    m_frameCameFromPageCache = true;
    13001301}
     
    13111312    bool shouldHideScrollbars = shouldDisableScrolling;
    13121313    IntRect fixedVisibleContentRect;
     1314    auto& coreFrame = *m_frame->coreFrame();
    13131315
    13141316#if USE(COORDINATED_GRAPHICS)
    1315     if (m_frame->coreFrame()->view())
    1316         fixedVisibleContentRect = m_frame->coreFrame()->view()->fixedVisibleContentRect();
     1317    if (FrameView* frameView = coreFrame.view())
     1318        fixedVisibleContentRect = frameView->fixedVisibleContentRect();
    13171319    if (shouldUseFixedLayout)
    13181320        shouldHideScrollbars = true;
    13191321#endif
    13201322
    1321     const ResourceResponse& response = m_frame->coreFrame()->loader().documentLoader()->response();
    1322     m_frameHasCustomContentProvider = isMainFrame && webPage->shouldUseCustomContentProviderForResponse(response);
     1323    const ResourceResponse& response = coreFrame.loader().documentLoader()->response();
     1324    m_frameHasCustomContentProvider = isMainFrame && webPage->shouldUseCustomContentProviderForResponse(response, coreFrame);
    13231325    m_frameCameFromPageCache = false;
    13241326
    13251327    ScrollbarMode defaultScrollbarMode = shouldHideScrollbars ? ScrollbarAlwaysOff : ScrollbarAuto;
    13261328
    1327     m_frame->coreFrame()->createView(webPage->size(), backgroundColor, isTransparent,
     1329    coreFrame.createView(webPage->size(), backgroundColor, isTransparent,
    13281330        webPage->fixedLayoutSize(), fixedVisibleContentRect, shouldUseFixedLayout,
    13291331        defaultScrollbarMode, /* lock */ shouldHideScrollbars, defaultScrollbarMode, /* lock */ shouldHideScrollbars);
    13301332
     1333    FrameView* frameView = coreFrame.view();
    13311334    if (int minimumLayoutWidth = webPage->minimumLayoutSize().width()) {
    13321335        int minimumLayoutHeight = std::max(webPage->minimumLayoutSize().height(), 1);
    13331336        int maximumSize = std::numeric_limits<int>::max();
    1334         m_frame->coreFrame()->view()->enableAutoSizeMode(true, IntSize(minimumLayoutWidth, minimumLayoutHeight), IntSize(maximumSize, maximumSize));
     1337        frameView->enableAutoSizeMode(true, IntSize(minimumLayoutWidth, minimumLayoutHeight), IntSize(maximumSize, maximumSize));
    13351338
    13361339        if (webPage->autoSizingShouldExpandToViewHeight())
    1337             m_frame->coreFrame()->view()->setAutoSizeFixedMinimumHeight(webPage->size().height());
    1338     }
    1339 
    1340     m_frame->coreFrame()->view()->setProhibitsScrolling(shouldDisableScrolling);
    1341     m_frame->coreFrame()->view()->setVisualUpdatesAllowedByClient(!webPage->shouldExtendIncrementalRenderingSuppression());
     1340            frameView->setAutoSizeFixedMinimumHeight(webPage->size().height());
     1341    }
     1342
     1343    frameView->setProhibitsScrolling(shouldDisableScrolling);
     1344    frameView->setVisualUpdatesAllowedByClient(!webPage->shouldExtendIncrementalRenderingSuppression());
    13421345#if PLATFORM(COCOA)
    1343     m_frame->coreFrame()->view()->setViewExposedRect(webPage->drawingArea()->viewExposedRect());
     1346    frameView->setViewExposedRect(webPage->drawingArea()->viewExposedRect());
    13441347#endif
    13451348#if PLATFORM(IOS)
    1346     m_frame->coreFrame()->view()->setDelegatesScrolling(true);
     1349    frameView->setDelegatesScrolling(true);
    13471350#endif
    13481351
    13491352    if (webPage->scrollPinningBehavior() != DoNotPin)
    1350         m_frame->coreFrame()->view()->setScrollPinningBehavior(webPage->scrollPinningBehavior());
     1353        frameView->setScrollPinningBehavior(webPage->scrollPinningBehavior());
    13511354
    13521355#if USE(COORDINATED_GRAPHICS)
    13531356    if (shouldUseFixedLayout) {
    1354         m_frame->coreFrame()->view()->setDelegatesScrolling(shouldUseFixedLayout);
    1355         m_frame->coreFrame()->view()->setPaintsEntireContents(shouldUseFixedLayout);
     1357        frameView->setDelegatesScrolling(shouldUseFixedLayout);
     1358        frameView->setPaintsEntireContents(shouldUseFixedLayout);
    13561359        return;
    13571360    }
  • trunk/Source/WebKit2/WebProcess/WebPage/WebPage.cpp

    r207426 r207443  
    45734573}
    45744574
    4575 bool WebPage::canPluginHandleResponse(const ResourceResponse& response)
     4575bool WebPage::canPluginHandleResponse(const ResourceResponse& response, const Frame& mainFrame)
    45764576{
    45774577#if ENABLE(NETSCAPE_PLUGIN_API)
     4578    ASSERT(mainFrame.isMainFrame());
    45784579    uint32_t pluginLoadPolicy;
    4579     bool allowOnlyApplicationPlugins = !m_mainFrame->coreFrame()->loader().subframeLoader().allowPlugins();
     4580    bool allowOnlyApplicationPlugins = !mainFrame.loader().subframeLoader().allowPlugins();
    45804581
    45814582    uint64_t pluginProcessToken;
     
    45894590#else
    45904591    UNUSED_PARAM(response);
     4592    UNUSED_PARAM(mainFrame);
    45914593    return false;
    45924594#endif
    45934595}
    45944596
    4595 bool WebPage::shouldUseCustomContentProviderForResponse(const ResourceResponse& response)
     4597bool WebPage::shouldUseCustomContentProviderForResponse(const ResourceResponse& response, const Frame& mainFrame)
    45964598{
    45974599    // If a plug-in exists that claims to support this response, it should take precedence over the custom content provider.
    4598     return m_mimeTypesWithCustomContentProviders.contains(response.mimeType()) && !canPluginHandleResponse(response);
     4600    if (canPluginHandleResponse(response, mainFrame))
     4601        return false;
     4602
     4603    auto& mimeType = response.mimeType();
     4604    return mimeType.isNull() ? false : m_mimeTypesWithCustomContentProviders.contains(mimeType);
    45994605}
    46004606
     
    50215027        return true;
    50225028
    5023     if (m_mimeTypesWithCustomContentProviders.contains(MIMEType))
     5029    if (!MIMEType.isNull() && m_mimeTypesWithCustomContentProviders.contains(MIMEType))
    50245030        return true;
    50255031
  • trunk/Source/WebKit2/WebProcess/WebPage/WebPage.h

    r207424 r207443  
    845845#endif
    846846
    847     bool shouldUseCustomContentProviderForResponse(const WebCore::ResourceResponse&);
    848     bool canPluginHandleResponse(const WebCore::ResourceResponse& response);
     847    bool shouldUseCustomContentProviderForResponse(const WebCore::ResourceResponse&, const WebCore::Frame& mainFrame);
    849848
    850849    bool asynchronousPluginInitializationEnabled() const { return m_asynchronousPluginInitializationEnabled; }
     
    12261225    void setUserInterfaceLayoutDirection(uint32_t);
    12271226
     1227    bool canPluginHandleResponse(const WebCore::ResourceResponse&, const WebCore::Frame& mainFrame);
     1228
    12281229    uint64_t m_pageID;
    12291230
  • trunk/Tools/ChangeLog

    r207442 r207443  
     12016-10-17  Andy Estes  <aestes@apple.com>
     2
     3        Crash in ASCIICaseInsensitiveHash::hash() when a response has a null MIME type
     4        https://bugs.webkit.org/show_bug.cgi?id=163476
     5        <rdar://problem/26941395>
     6
     7        Reviewed by Tim Horton.
     8
     9        * TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj:
     10        * TestWebKitAPI/Tests/WebKit2Cocoa/LoadDataWithNilMIMEType.mm: Added.
     11        (TEST): Added an API test that passes a nil MIMEType to
     12        -[WKWebView loadData:MIMEType:characterEncodingName:baseURL:].
     13
    1142016-10-17  Dean Jackson  <dino@apple.com>
    215
  • trunk/Tools/TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj

    r207442 r207443  
    426426                9C64DC321D76198A004B598E /* YouTubePluginReplacement.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 9C64DC311D76198A004B598E /* YouTubePluginReplacement.cpp */; };
    427427                A1146A8D1D2D7115000FE710 /* ContentFiltering.mm in Sources */ = {isa = PBXBuildFile; fileRef = A1146A8A1D2D704F000FE710 /* ContentFiltering.mm */; };
     428                A125478F1DB18B9400358564 /* LoadDataWithNilMIMEType.mm in Sources */ = {isa = PBXBuildFile; fileRef = A125478D1DB18B9400358564 /* LoadDataWithNilMIMEType.mm */; };
    428429                A13EBBAA1B87428D00097110 /* WebProcessPlugIn.mm in Sources */ = {isa = PBXBuildFile; fileRef = A13EBBA91B87428D00097110 /* WebProcessPlugIn.mm */; };
    429430                A13EBBAB1B87434600097110 /* PlatformUtilitiesCocoa.mm in Sources */ = {isa = PBXBuildFile; fileRef = 0F139E721A423A2B00F590F5 /* PlatformUtilitiesCocoa.mm */; };
     
    10551056                9C64DC311D76198A004B598E /* YouTubePluginReplacement.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = YouTubePluginReplacement.cpp; sourceTree = "<group>"; };
    10561057                A1146A8A1D2D704F000FE710 /* ContentFiltering.mm */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.objcpp; path = ContentFiltering.mm; sourceTree = "<group>"; };
     1058                A125478D1DB18B9400358564 /* LoadDataWithNilMIMEType.mm */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.objcpp; path = LoadDataWithNilMIMEType.mm; sourceTree = "<group>"; };
    10571059                A13EBB491B87339E00097110 /* TestWebKitAPI.wkbundle */ = {isa = PBXFileReference; explicitFileType = wrapper.cfbundle; includeInIndex = 0; path = TestWebKitAPI.wkbundle; sourceTree = BUILT_PRODUCTS_DIR; };
    10581060                A13EBB521B87346600097110 /* WebProcessPlugIn.xcconfig */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.xcconfig; path = WebProcessPlugIn.xcconfig; sourceTree = "<group>"; };
     
    14281430                                0F3B94A51A77266C00DE3272 /* WKWebViewEvaluateJavaScript.mm */,
    14291431                                9984FACA1CFFAEEE008D198C /* WKWebViewTextInput.mm */,
     1432                                A125478D1DB18B9400358564 /* LoadDataWithNilMIMEType.mm */,
    14301433                        );
    14311434                        name = "WebKit2 Cocoa";
     
    23962399                                7CCE7EC01A411A7E00447C4C /* FragmentNavigation.mm in Sources */,
    23972400                                7CCE7EF61A411AE600447C4C /* FrameMIMETypeHTML.cpp in Sources */,
     2401                                A125478F1DB18B9400358564 /* LoadDataWithNilMIMEType.mm in Sources */,
    23982402                                7CCE7EF71A411AE600447C4C /* FrameMIMETypePNG.cpp in Sources */,
    23992403                                7C83E0BD1D0A650C00FEBCF3 /* FullscreenTopContentInset.mm in Sources */,
Note: See TracChangeset for help on using the changeset viewer.