Changeset 262023 in webkit

Timestamp:

May 21, 2020 1:14:36 PM (4 years ago)

Author:

commit-queue@webkit.org

Message:

Null Ptr Deref @ WebCore::ResourceResponse::platformLazyInit
​https://bugs.webkit.org/show_bug.cgi?id=212224

Patch by Pinki Gyanchandani <​pgyanchandani@apple.com> on 2020-05-21
Reviewed by Geoffrey Garen.

Source/WebKitLegacy/mac:

Its possible that client can cancel the load implicitly or explicitly after its informed that load is committed, but code continues to assume that
loading is still in progress. This was cause of crash.
Added nullptr check before dereferencing the documentLoader, after client calls the commit load.

• WebView/WebHTMLRepresentation.mm:

(-[WebHTMLRepresentation receivedData:withDataSource:]):

LayoutTests:

Added a regression test.

• media/continue-load-after-client-cancellation-crash-expected.txt: Added.
• media/continue-load-after-client-cancellation-crash.html: Added.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/media/continue-load-after-client-cancellation-crash-expected.txt (added)
• LayoutTests/media/continue-load-after-client-cancellation-crash.html (added)
• Source/WebKitLegacy/mac/ChangeLog (modified) (1 diff)
• Source/WebKitLegacy/mac/WebView/WebHTMLRepresentation.mm (modified) (2 diffs)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2020-05-21  Pinki Gyanchandani  <pgyanchandani@apple.com>
+
+        Null Ptr Deref @ WebCore::ResourceResponse::platformLazyInit
+        https://bugs.webkit.org/show_bug.cgi?id=212224
+
+        Reviewed by Geoffrey Garen.
+
+        Added a regression test.
+
+        * media/continue-load-after-client-cancellation-crash-expected.txt: Added.
+        * media/continue-load-after-client-cancellation-crash.html: Added.
+
 2020-05-21  Peng Liu  <peng.liu6@apple.com>
 

trunk/Source/WebKitLegacy/mac/ChangeLog

@@ +1 @@
+2020-05-21  Pinki Gyanchandani  <pgyanchandani@apple.com>
+
+        Null Ptr Deref @ WebCore::ResourceResponse::platformLazyInit
+        https://bugs.webkit.org/show_bug.cgi?id=212224
+
+        Reviewed by Geoffrey Garen.
+
+        Its possible that client can cancel the load implicitly or explicitly after its informed that load is committed, but code continues to assume that
+        loading is still in progress. This was cause of crash.
+        Added nullptr check before dereferencing the documentLoader, after client calls the commit load.
+
+        * WebView/WebHTMLRepresentation.mm:
+        (-[WebHTMLRepresentation receivedData:withDataSource:]):
+
 2020-05-20  Darin Adler  <darin@apple.com>
 

trunk/Source/WebKitLegacy/mac/WebView/WebHTMLRepresentation.mm

@@ -172 +172 @@
 - (void)receivedData:(NSData *)data withDataSource:(WebDataSource *)dataSource
 {
+    auto protectedSelf = retainPtr(self);
     WebFrame *webFrame = [dataSource webFrame];
     if (!webFrame)
@@ -181 +182 @@
     // If the document is a stand-alone media document, now is the right time to cancel the WebKit load
     Frame* coreFrame = core(webFrame);
-    if (coreFrame->document()->isMediaDocument())
+    if (coreFrame->document()->isMediaDocument() && coreFrame->loader().documentLoader())
         coreFrame->loader().documentLoader()->cancelMainResourceLoad(coreFrame->loader().client().pluginWillHandleLoadError(coreFrame->loader().documentLoader()->response()));