[webkit-changes] [254576] trunk

[achristensen]

Title: [254576] trunk

Revision

254576

Author

achristen...@apple.com

Date

2020-01-15 10:40:56 -0800 (Wed, 15 Jan 2020)

Log Message

Null Ptr Deref @ WebCore::DocumentLoader::clearMainResourceLoader
https://bugs.webkit.org/show_bug.cgi?id=206204

Source/WebCore:

Patch by Pinki Gyanchandani <pgyanchand...@apple.com> on 2020-01-15
Reviewed by Alex Christensen.

Test: loader/change-src-during-iframe-load-crash.html

* loader/DocumentLoader.cpp:
(WebCore::DocumentLoader::frameLoader const):
(WebCore::DocumentLoader::clearMainResourceLoader):

LayoutTests:

Added a NULL pointer check for FrameLoader. If FramLoader is NULL then return instead of
accessing activeDocumentLoader.

Patch by Pinki Gyanchandani <pgyanchand...@apple.com> on 2020-01-15
Reviewed by Alex Christensen.

* loader/change-src-during-iframe-load-crash-expected.txt: Added.
* loader/change-src-during-iframe-load-crash.html: Added.

Modified Paths

• trunk/LayoutTests/ChangeLog
• trunk/LayoutTests/http/tests/security/http-0.9/xhr-blocked-expected.txt
• trunk/Source/WebCore/ChangeLog
• trunk/Source/WebCore/loader/DocumentLoader.cpp

Added Paths

• trunk/LayoutTests/loader/change-src-during-iframe-load-crash-expected.txt
• trunk/LayoutTests/loader/change-src-during-iframe-load-crash.html

Diff

Modified: trunk/LayoutTests/ChangeLog (254575 => 254576)

--- trunk/LayoutTests/ChangeLog	2020-01-15 18:22:16 UTC (rev 254575)
+++ trunk/LayoutTests/ChangeLog	2020-01-15 18:40:56 UTC (rev 254576)
@@ -1,3 +1,16 @@
+2020-01-15  Pinki Gyanchandani  <pgyanchand...@apple.com>
+
+        Null Ptr Deref @ WebCore::DocumentLoader::clearMainResourceLoader
+        https://bugs.webkit.org/show_bug.cgi?id=206204
+
+        Added a NULL pointer check for FrameLoader. If FramLoader is NULL then return instead of
+        accessing activeDocumentLoader.
+
+        Reviewed by Alex Christensen.
+
+        * loader/change-src-during-iframe-load-crash-expected.txt: Added.
+        * loader/change-src-during-iframe-load-crash.html: Added.
+
 2020-01-15  Jer Noble  <jer.no...@apple.com>
 
         Revert fullscreen CSS quirk for reddit.com; add width and height style to fullscreen.css.

Modified: trunk/LayoutTests/http/tests/security/http-0.9/xhr-blocked-expected.txt (254575 => 254576)

--- trunk/LayoutTests/http/tests/security/http-0.9/xhr-blocked-expected.txt	2020-01-15 18:22:16 UTC (rev 254575)
+++ trunk/LayoutTests/http/tests/security/http-0.9/xhr-blocked-expected.txt	2020-01-15 18:40:56 UTC (rev 254576)
@@ -1,2 +1,3 @@
+asdf
 ALERT: PASS
 

Added: trunk/LayoutTests/loader/change-src-during-iframe-load-crash-expected.txt (0 => 254576)

--- trunk/LayoutTests/loader/change-src-during-iframe-load-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/loader/change-src-during-iframe-load-crash-expected.txt	2020-01-15 18:40:56 UTC (rev 254576)
@@ -0,0 +1 @@
+The test is declared pass if there is no crash observed.

Added: trunk/LayoutTests/loader/change-src-during-iframe-load-crash.html (0 => 254576)

--- trunk/LayoutTests/loader/change-src-during-iframe-load-crash.html	                        (rev 0)
+++ trunk/LayoutTests/loader/change-src-during-iframe-load-crash.html	2020-01-15 18:40:56 UTC (rev 254576)
@@ -0,0 +1,20 @@
+<html>
+<script>
+function load() {
+    document.body.innerHTML = 'The test is declared pass if there is no crash observed.';
+    if (window.testRunner) {
+        testRunner.dumpAsText();
+        testRunner.waitUntilDone();
+    }
+}
+
+function eventhandler3() {
+    iframe1.srcdoc = "x";
+    if (window.testRunner)
+        testRunner.notifyDone();
+}
+
+</script>
+<body _onload_="load()">
+<iframe id="iframe1" src=""
+<iframe id="iframe2" _onload_="eventhandler3()" srcdoc="y">

Modified: trunk/Source/WebCore/ChangeLog (254575 => 254576)

--- trunk/Source/WebCore/ChangeLog	2020-01-15 18:22:16 UTC (rev 254575)
+++ trunk/Source/WebCore/ChangeLog	2020-01-15 18:40:56 UTC (rev 254576)
@@ -1,3 +1,16 @@
+2020-01-15  Pinki Gyanchandani  <pgyanchand...@apple.com>
+
+        Null Ptr Deref @ WebCore::DocumentLoader::clearMainResourceLoader
+        https://bugs.webkit.org/show_bug.cgi?id=206204
+
+        Reviewed by Alex Christensen.
+
+        Test: loader/change-src-during-iframe-load-crash.html
+
+        * loader/DocumentLoader.cpp:
+        (WebCore::DocumentLoader::frameLoader const):
+        (WebCore::DocumentLoader::clearMainResourceLoader):
+
 2020-01-15  Jer Noble  <jer.no...@apple.com>
 
         Revert fullscreen CSS quirk for reddit.com; add width and height style to fullscreen.css.

Modified: trunk/Source/WebCore/loader/DocumentLoader.cpp (254575 => 254576)

--- trunk/Source/WebCore/loader/DocumentLoader.cpp	2020-01-15 18:22:16 UTC (rev 254575)
+++ trunk/Source/WebCore/loader/DocumentLoader.cpp	2020-01-15 18:40:56 UTC (rev 254576)
@@ -1272,7 +1272,11 @@
 {
     m_loadingMainResource = false;
 
-    if (this == frameLoader()->activeDocumentLoader())
+    auto* frameLoader = this->frameLoader();
+    if (!frameLoader)
+        return;
+
+    if (this == frameLoader->activeDocumentLoader())
         checkLoadComplete();
 }
 

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes