Title: [186666] trunk/Source/WebCore
- Revision
- 186666
- Author
- za...@apple.com
- Date
- 2015-07-09 22:55:20 -0700 (Thu, 09 Jul 2015)
Log Message
Plugin create can end up destroying its renderer.
https://bugs.webkit.org/show_bug.cgi?id=146824
rdar://problem/18921429
Reviewed by Andreas Kling.
Plugins can run arbitrary code during initialization. If the plugin
happens to destroy the associated node, its renderer becomes invalid.
This patch checks whether the renderer survived the createPlugin() call.
(This WeakPtr pattern is also used in RenderWidget to avoid dangling pointers.)
Speculative fix. Not reproducible.
* loader/SubframeLoader.cpp:
(WebCore::SubframeLoader::loadPlugin):
Modified Paths
Diff
Modified: trunk/Source/WebCore/ChangeLog (186665 => 186666)
--- trunk/Source/WebCore/ChangeLog 2015-07-10 05:31:50 UTC (rev 186665)
+++ trunk/Source/WebCore/ChangeLog 2015-07-10 05:55:20 UTC (rev 186666)
@@ -1,3 +1,21 @@
+2015-07-09 Zalan Bujtas <za...@apple.com>
+
+ Plugin create can end up destroying its renderer.
+ https://bugs.webkit.org/show_bug.cgi?id=146824
+ rdar://problem/18921429
+
+ Reviewed by Andreas Kling.
+
+ Plugins can run arbitrary code during initialization. If the plugin
+ happens to destroy the associated node, its renderer becomes invalid.
+ This patch checks whether the renderer survived the createPlugin() call.
+ (This WeakPtr pattern is also used in RenderWidget to avoid dangling pointers.)
+
+ Speculative fix. Not reproducible.
+
+ * loader/SubframeLoader.cpp:
+ (WebCore::SubframeLoader::loadPlugin):
+
2015-07-09 Dan Bernstein <m...@apple.com>
WebCore part of Track and expose policies for external URL schemes and App Links separately
Modified: trunk/Source/WebCore/loader/SubframeLoader.cpp (186665 => 186666)
--- trunk/Source/WebCore/loader/SubframeLoader.cpp 2015-07-10 05:31:50 UTC (rev 186665)
+++ trunk/Source/WebCore/loader/SubframeLoader.cpp 2015-07-10 05:55:20 UTC (rev 186666)
@@ -391,10 +391,12 @@
bool SubframeLoader::loadPlugin(HTMLPlugInImageElement& pluginElement, const URL& url, const String& mimeType, const Vector<String>& paramNames, const Vector<String>& paramValues, bool useFallback)
{
+ if (useFallback)
+ return false;
+
RenderEmbeddedObject* renderer = pluginElement.renderEmbeddedObject();
-
// FIXME: This code should not depend on renderer!
- if (!renderer || useFallback)
+ if (!renderer)
return false;
pluginElement.subframeLoaderWillCreatePlugIn(url);
@@ -408,7 +410,11 @@
loadManually = false;
#endif
+ WeakPtr<RenderWidget> weakRenderer = renderer->createWeakPtr();
+ // createPlugin *may* cause this renderer to disappear from underneath.
RefPtr<Widget> widget = m_frame.loader().client().createPlugin(contentSize, &pluginElement, url, paramNames, paramValues, mimeType, loadManually);
+ if (!weakRenderer)
+ return false;
if (!widget) {
if (!renderer->isPluginUnavailable())
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes