Changeset 217695 in webkit

Timestamp:

Jun 1, 2017 9:35:25 PM (7 years ago)

Author:

Chris Dumez

Message:

REGRESSION (r206386): Xactimate Website Crashes @ com.apple.WebKit: WebKit::NPRuntimeObjectMap::convertJSValueToNPVariant + 255
​https://bugs.webkit.org/show_bug.cgi?id=172846
<rdar://problem/31093005>

Reviewed by Andreas Kling.

In NPJSObject::invoke(), return early if there was an exception when calling JSC::call().
Using the value returned by JSC::call() when an exception occurred is unsafe.

• WebProcess/Plugins/Netscape/NPJSObject.cpp:

(WebKit::NPJSObject::invoke):

Location:

trunk/Source/WebKit2

Files:

• ChangeLog (modified) (1 diff)
• WebProcess/Plugins/Netscape/NPJSObject.cpp (modified) (1 diff)

trunk/Source/WebKit2/ChangeLog

@@ +1 @@
+2017-06-01  Chris Dumez  <cdumez@apple.com>
+
+        REGRESSION (r206386): Xactimate Website Crashes @ com.apple.WebKit: WebKit::NPRuntimeObjectMap::convertJSValueToNPVariant + 255
+        https://bugs.webkit.org/show_bug.cgi?id=172846
+        <rdar://problem/31093005>
+
+        Reviewed by Andreas Kling.
+
+        In NPJSObject::invoke(), return early if there was an exception when calling JSC::call().
+        Using the value returned by JSC::call() when an exception occurred is unsafe.
+
+        * WebProcess/Plugins/Netscape/NPJSObject.cpp:
+        (WebKit::NPJSObject::invoke):
+
 2017-06-01  Jon Lee  <jonlee@apple.com>
 

trunk/Source/WebKit2/WebProcess/Plugins/Netscape/NPJSObject.cpp

@@ -312 +312 @@
     JSValue value = JSC::call(exec, function, callType, callData, m_jsObject.get(), argumentList);
 
+    if (UNLIKELY(scope.exception())) {
+        scope.clearException();
+        return false;
+    }
+
     // Convert and return the result of the function call.
     m_objectMap->convertJSValueToNPVariant(exec, value, *result);
-    scope.clearException();
     
     return true;