Changeset 247874 in webkit


Ignore:
Timestamp:
Jul 26, 2019 1:46:48 PM (5 years ago)
Author:
commit-queue@webkit.org
Message:

[curl] Heap corruption in ~CurlResponse
https://bugs.webkit.org/show_bug.cgi?id=198320

Patch by Takashi Komori <Takashi.Komori@sony.com> on 2019-07-26
Reviewed by Fujii Hironori.

Stop sharing object which was reffered by two threads to fix crash bug.

No tests needed, no functionality changes.

  • platform/network/curl/CurlRequest.cpp:

(WebCore::CurlRequest::start):
(WebCore::CurlRequest::invokeDidReceiveResponseForFile):

  • platform/network/curl/CurlRequest.h:
Location:
trunk/Source/WebCore
Files:
3 edited

Legend:

Unmodified
Added
Removed
  • trunk/Source/WebCore/ChangeLog

    r247873 r247874  
     12019-07-26  Takashi Komori  <Takashi.Komori@sony.com>
     2
     3        [curl] Heap corruption in ~CurlResponse
     4        https://bugs.webkit.org/show_bug.cgi?id=198320
     5
     6        Reviewed by Fujii Hironori.
     7
     8        Stop sharing object which was reffered by two threads to fix crash bug.
     9
     10        No tests needed, no functionality changes.
     11
     12        * platform/network/curl/CurlRequest.cpp:
     13        (WebCore::CurlRequest::start):
     14        (WebCore::CurlRequest::invokeDidReceiveResponseForFile):
     15        * platform/network/curl/CurlRequest.h:
     16
    1172019-07-26  Youenn Fablet  <youenn@apple.com>
    218
  • trunk/Source/WebCore/platform/network/curl/CurlRequest.cpp

    r246401 r247874  
    3636#include "ResourceError.h"
    3737#include "SharedBuffer.h"
     38#include <wtf/CrossThreadCopier.h>
    3839#include <wtf/Language.h>
    3940#include <wtf/MainThread.h>
     
    107108    ASSERT(isMainThread());
    108109
    109     auto url = m_request.url().isolatedCopy();
    110 
    111110    if (std::isnan(m_requestStartTime))
    112111        m_requestStartTime = MonotonicTime::now().isolatedCopy();
    113112
    114     if (url.isLocalFile())
    115         invokeDidReceiveResponseForFile(url);
     113    if (m_request.url().isLocalFile())
     114        invokeDidReceiveResponseForFile(m_request.url());
    116115    else
    117116        startWithJobManager();
     
    580579}
    581580
    582 void CurlRequest::invokeDidReceiveResponseForFile(URL& url)
     581void CurlRequest::invokeDidReceiveResponseForFile(const URL& url)
    583582{
    584583    // Since the code in didReceiveHeader() will not have run for local files
     
    590589    ASSERT(url.isLocalFile());
    591590
    592     m_response.url = url;
    593     m_response.statusCode = 200;
    594 
    595591    // Determine the MIME type based on the path.
    596     m_response.headers.append(String("Content-Type: " + MIMETypeRegistry::getMIMETypeForPath(m_response.url.path())));
     592    auto mimeType = MIMETypeRegistry::getMIMETypeForPath(url.path());
    597593
    598594    // DidReceiveResponse must not be called immediately
    599     runOnWorkerThreadIfRequired([this, protectedThis = makeRef(*this)]() {
    600         invokeDidReceiveResponse(m_response, Action::StartTransfer);
     595    runOnWorkerThreadIfRequired([this, protectedThis = makeRef(*this), url = crossThreadCopy(url), mimeType = crossThreadCopy(WTFMove(mimeType))]() mutable {
     596        CurlResponse response;
     597        response.url = WTFMove(url);
     598        response.statusCode = 200;
     599        response.headers.append("Content-Type: " + mimeType);
     600
     601        invokeDidReceiveResponse(response, Action::StartTransfer);
    601602    });
    602603}
  • trunk/Source/WebCore/platform/network/curl/CurlRequest.h

    r246401 r247874  
    142142    bool needToInvokeDidReceiveResponse() const { return m_didReceiveResponse && !m_didNotifyResponse; }
    143143    bool needToInvokeDidCancelTransfer() const { return m_didNotifyResponse && !m_didReturnFromNotify && m_actionAfterInvoke == Action::FinishTransfer; }
    144     void invokeDidReceiveResponseForFile(URL&);
     144    void invokeDidReceiveResponseForFile(const URL&);
    145145    void invokeDidReceiveResponse(const CurlResponse&, Action);
    146146    void setRequestPaused(bool);
Note: See TracChangeset for help on using the changeset viewer.