Changeset 275474 in webkit
- Timestamp:
- Apr 5, 2021 7:12:48 PM (3 years ago)
- Location:
- trunk/Source/WebKit
- Files:
-
- 2 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/Source/WebKit/ChangeLog
r275473 r275474 1 2021-04-05 Chris Dumez <cdumez@apple.com> 2 3 Protect frame in WebPage::runJavaScriptInFrameInScriptWorld() 4 https://bugs.webkit.org/show_bug.cgi?id=224210 5 6 Reviewed by Alex Christensen. 7 8 Between the time we were getting the raw pointer to the frame, and the time were were passing it to 9 WebPage::runJavaScript(), we were potentially calling WebFrameLoaderClient::dispatchGlobalObjectAvailable(). 10 It is possible in theory for those synchronous injected bundle calls to mess with the frame tree and cause 11 our frame to go bad. As a result, it is best to protect the frame as soon as we get it. 12 13 * WebProcess/WebPage/WebPage.cpp: 14 (WebKit::WebPage::runJavaScriptInFrameInScriptWorld): 15 1 16 2021-04-05 Wenson Hsieh <wenson_hsieh@apple.com> 2 17 -
trunk/Source/WebKit/WebProcess/WebPage/WebPage.cpp
r275447 r275474 3653 3653 void WebPage::runJavaScriptInFrameInScriptWorld(RunJavaScriptParameters&& parameters, Optional<WebCore::FrameIdentifier> frameID, const std::pair<ContentWorldIdentifier, String>& worldData, CompletionHandler<void(const IPC::DataReference&, const Optional<WebCore::ExceptionDetails>&)>&& completionHandler) 3654 3654 { 3655 auto * webFrame = frameID ? WebProcess::singleton().webFrame(*frameID) : &mainWebFrame();3655 auto webFrame = makeRefPtr(frameID ? WebProcess::singleton().webFrame(*frameID) : &mainWebFrame()); 3656 3656 3657 3657 if (auto* newWorld = m_userContentController->addContentWorld(worldData)) { … … 3661 3661 } 3662 3662 3663 runJavaScript(webFrame , WTFMove(parameters), worldData.first, WTFMove(completionHandler));3663 runJavaScript(webFrame.get(), WTFMove(parameters), worldData.first, WTFMove(completionHandler)); 3664 3664 } 3665 3665
Note: See TracChangeset
for help on using the changeset viewer.