Changeset 207563 in webkit

Timestamp:

Oct 19, 2016 1:30:27 PM (7 years ago)

Author:

aestes@apple.com

Message:

Crash in ASCIICaseInsensitiveHash::hash() when a response has a null MIME type
​https://bugs.webkit.org/show_bug.cgi?id=163476
<rdar://problem/26941395>

Reviewed by Andreas Kling.

Source/WebKit2:

When custom content providers are registered and a response has a null MIME type, WebPage
will pass a null String to HashSet::contains(). This results in a null pointer dereference,
since the String hash functions do not support null Strings and unconditionally dereference
their StringImpls. Fixed by checking that Strings are non-null before calling
HashSet::contains() on m_mimeTypesWithCustomContentProviders.

New API test: WebKit2.LoadDataWithNilMIMEType.

• WebProcess/WebPage/WebPage.cpp:

(WebKit::WebPage::shouldUseCustomContentProviderForResponse): Checked if mimeType is null
before calling m_mimeTypesWithCustomContentProviders.contains().
(WebKit::WebPage::canShowMIMEType): Ditto.

• WebProcess/WebPage/WebPage.h: Made private the declaration of canPluginHandleResponse().

Tools:

• TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj:
• TestWebKitAPI/Tests/WebKit2Cocoa/LoadDataWithNilMIMEType.mm: Added.

(TEST): Added an API test that passes a nil MIMEType to
-[WKWebView loadData:MIMEType:characterEncodingName:baseURL:].

Location:

trunk

Files:

• Source/WebKit2/ChangeLog (modified) (1 diff)
• Source/WebKit2/WebProcess/WebPage/WebPage.cpp (modified) (2 diffs)
• Source/WebKit2/WebProcess/WebPage/WebPage.h (modified) (2 diffs)
• Tools/ChangeLog (modified) (1 diff)
• Tools/TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj (modified) (4 diffs)
• Tools/TestWebKitAPI/Tests/WebKit2Cocoa/LoadDataWithNilMIMEType.mm (added)

trunk/Source/WebKit2/ChangeLog

@@ +1 @@
+2016-10-19  Andy Estes  <aestes@apple.com>
+
+        Crash in ASCIICaseInsensitiveHash::hash() when a response has a null MIME type
+        https://bugs.webkit.org/show_bug.cgi?id=163476
+        <rdar://problem/26941395>
+
+        Reviewed by Andreas Kling.
+
+        When custom content providers are registered and a response has a null MIME type, WebPage
+        will pass a null String to HashSet::contains(). This results in a null pointer dereference,
+        since the String hash functions do not support null Strings and unconditionally dereference
+        their StringImpls. Fixed by checking that Strings are non-null before calling
+        HashSet::contains() on m_mimeTypesWithCustomContentProviders.
+
+        New API test: WebKit2.LoadDataWithNilMIMEType.
+
+        * WebProcess/WebPage/WebPage.cpp:
+        (WebKit::WebPage::shouldUseCustomContentProviderForResponse): Checked if mimeType is null
+        before calling m_mimeTypesWithCustomContentProviders.contains().
+        (WebKit::WebPage::canShowMIMEType): Ditto.
+        * WebProcess/WebPage/WebPage.h: Made private the declaration of canPluginHandleResponse().
+
 2016-10-19  Chris Dumez  <cdumez@apple.com>
 

trunk/Source/WebKit2/WebProcess/WebPage/WebPage.cpp

@@ -4600 +4600 @@
 bool WebPage::shouldUseCustomContentProviderForResponse(const ResourceResponse& response)
 {
+    auto& mimeType = response.mimeType();
+    if (mimeType.isNull())
+        return false;
+
     // If a plug-in exists that claims to support this response, it should take precedence over the custom content provider.
-    return m_mimeTypesWithCustomContentProviders.contains(response.mimeType()) && !canPluginHandleResponse(response);
+    // canPluginHandleResponse() is called last because it performs synchronous IPC.
+    return m_mimeTypesWithCustomContentProviders.contains(mimeType) && !canPluginHandleResponse(response);
 }
 
@@ -5026 +5031 @@
         return true;
 
-    if (m_mimeTypesWithCustomContentProviders.contains(MIMEType))
+    if (!MIMEType.isNull() && m_mimeTypesWithCustomContentProviders.contains(MIMEType))
         return true;
 

trunk/Source/WebKit2/WebProcess/WebPage/WebPage.h

@@ -846 +846 @@
 
     bool shouldUseCustomContentProviderForResponse(const WebCore::ResourceResponse&);
-    bool canPluginHandleResponse(const WebCore::ResourceResponse& response);
 
     bool asynchronousPluginInitializationEnabled() const { return m_asynchronousPluginInitializationEnabled; }
@@ -1228 +1227 @@
     void setUserInterfaceLayoutDirection(uint32_t);
 
+    bool canPluginHandleResponse(const WebCore::ResourceResponse&);
+
     uint64_t m_pageID;
 

trunk/Tools/ChangeLog

@@ +1 @@
+2016-10-19  Andy Estes  <aestes@apple.com>
+
+        Crash in ASCIICaseInsensitiveHash::hash() when a response has a null MIME type
+        https://bugs.webkit.org/show_bug.cgi?id=163476
+        <rdar://problem/26941395>
+
+        Reviewed by Andreas Kling.
+
+        * TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj:
+        * TestWebKitAPI/Tests/WebKit2Cocoa/LoadDataWithNilMIMEType.mm: Added.
+        (TEST): Added an API test that passes a nil MIMEType to
+        -[WKWebView loadData:MIMEType:characterEncodingName:baseURL:].
+
 2016-10-19  Jer Noble  <jer.noble@apple.com>
 

trunk/Tools/TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj

@@ -426 +426 @@
                 9C64DC321D76198A004B598E /* YouTubePluginReplacement.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 9C64DC311D76198A004B598E /* YouTubePluginReplacement.cpp */; };
                 A1146A8D1D2D7115000FE710 /* ContentFiltering.mm in Sources */ = {isa = PBXBuildFile; fileRef = A1146A8A1D2D704F000FE710 /* ContentFiltering.mm */; };
+                A125478F1DB18B9400358564 /* LoadDataWithNilMIMEType.mm in Sources */ = {isa = PBXBuildFile; fileRef = A125478D1DB18B9400358564 /* LoadDataWithNilMIMEType.mm */; };
                 A13EBBAA1B87428D00097110 /* WebProcessPlugIn.mm in Sources */ = {isa = PBXBuildFile; fileRef = A13EBBA91B87428D00097110 /* WebProcessPlugIn.mm */; };
                 A13EBBAB1B87434600097110 /* PlatformUtilitiesCocoa.mm in Sources */ = {isa = PBXBuildFile; fileRef = 0F139E721A423A2B00F590F5 /* PlatformUtilitiesCocoa.mm */; };
@@ -1055 +1056 @@
                 9C64DC311D76198A004B598E /* YouTubePluginReplacement.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = YouTubePluginReplacement.cpp; sourceTree = "<group>"; };
                 A1146A8A1D2D704F000FE710 /* ContentFiltering.mm */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.objcpp; path = ContentFiltering.mm; sourceTree = "<group>"; };
+                A125478D1DB18B9400358564 /* LoadDataWithNilMIMEType.mm */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.objcpp; path = LoadDataWithNilMIMEType.mm; sourceTree = "<group>"; };
                 A13EBB491B87339E00097110 /* TestWebKitAPI.wkbundle */ = {isa = PBXFileReference; explicitFileType = wrapper.cfbundle; includeInIndex = 0; path = TestWebKitAPI.wkbundle; sourceTree = BUILT_PRODUCTS_DIR; };
                 A13EBB521B87346600097110 /* WebProcessPlugIn.xcconfig */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.xcconfig; path = WebProcessPlugIn.xcconfig; sourceTree = "<group>"; };
@@ -1428 +1430 @@
                                 0F3B94A51A77266C00DE3272 /* WKWebViewEvaluateJavaScript.mm */,
                                 9984FACA1CFFAEEE008D198C /* WKWebViewTextInput.mm */,
+                                A125478D1DB18B9400358564 /* LoadDataWithNilMIMEType.mm */,
                         );
                         name = "WebKit2 Cocoa";
@@ -2396 +2399 @@
                                 7CCE7EC01A411A7E00447C4C /* FragmentNavigation.mm in Sources */,
                                 7CCE7EF61A411AE600447C4C /* FrameMIMETypeHTML.cpp in Sources */,
+                                A125478F1DB18B9400358564 /* LoadDataWithNilMIMEType.mm in Sources */,
                                 7CCE7EF71A411AE600447C4C /* FrameMIMETypePNG.cpp in Sources */,
                                 7C83E0BD1D0A650C00FEBCF3 /* FullscreenTopContentInset.mm in Sources */,