[webkit-changes] [197885] trunk/Source/WebKit2

Wed, 09 Mar 2016 13:49:46 -0800

Title: [197885] trunk/Source/WebKit2
Revision
197885
Author
achristen...@apple.com
Date
2016-03-09 13:49:59 -0800 (Wed, 09 Mar 2016)

Log Message

Fix use-after-free when cancelling synchronous XHR when using NetworkSession
https://bugs.webkit.org/show_bug.cgi?id=155253

Reviewed by Brady Eidson.

* NetworkProcess/NetworkLoad.cpp:
(WebKit::NetworkLoad::continueWillSendRequest):
Store the completion handler on the stack before calling didFail, which deletes the
NetworkLoad, so we don't access m_redirectCompletionHandler after deleting the NetworkLoad.

Modified Paths

Diff

Modified: trunk/Source/WebKit2/ChangeLog (197884 => 197885)


--- trunk/Source/WebKit2/ChangeLog	2016-03-09 21:48:19 UTC (rev 197884)
+++ trunk/Source/WebKit2/ChangeLog	2016-03-09 21:49:59 UTC (rev 197885)
@@ -1,3 +1,15 @@
+2016-03-09  Alex Christensen  <achristen...@webkit.org>
+
+        Fix use-after-free when cancelling synchronous XHR when using NetworkSession
+        https://bugs.webkit.org/show_bug.cgi?id=155253
+
+        Reviewed by Brady Eidson.
+
+        * NetworkProcess/NetworkLoad.cpp:
+        (WebKit::NetworkLoad::continueWillSendRequest):
+        Store the completion handler on the stack before calling didFail, which deletes the
+        NetworkLoad, so we don't access m_redirectCompletionHandler after deleting the NetworkLoad.
+
 2016-03-09  Commit Queue  <commit-qu...@webkit.org>
 
         Unreviewed, rolling out r197698.

Modified: trunk/Source/WebKit2/NetworkProcess/NetworkLoad.cpp (197884 => 197885)


--- trunk/Source/WebKit2/NetworkProcess/NetworkLoad.cpp	2016-03-09 21:48:19 UTC (rev 197884)
+++ trunk/Source/WebKit2/NetworkProcess/NetworkLoad.cpp	2016-03-09 21:49:59 UTC (rev 197885)
@@ -110,19 +110,26 @@
     m_currentRequest.updateFromDelegatePreservingOldProperties(newRequest);
 #endif
 
+#if USE(NETWORK_SESSION)
+    auto redirectCompletionHandler = std::exchange(m_redirectCompletionHandler, nullptr);    
+    ASSERT(redirectCompletionHandler);
+#endif
+    
     if (m_currentRequest.isNull()) {
         if (m_handle)
             m_handle->cancel();
         didFail(m_handle.get(), cancelledError(m_currentRequest));
+#if USE(NETWORK_SESSION)
+        if (redirectCompletionHandler)
+            redirectCompletionHandler({ });
+#endif
+        return;
     } else if (m_handle)
         m_handle->continueWillSendRequest(m_currentRequest);
 
 #if USE(NETWORK_SESSION)
-    ASSERT(m_redirectCompletionHandler);
-    if (m_redirectCompletionHandler) {
-        m_redirectCompletionHandler(m_currentRequest);
-        m_redirectCompletionHandler = nullptr;
-    }
+    if (redirectCompletionHandler)
+        redirectCompletionHandler(m_currentRequest);
 #endif
 }
 

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to