- Revision
- 272396
- Author
- commit-qu...@webkit.org
- Date
- 2021-02-04 16:17:06 -0800 (Thu, 04 Feb 2021)
Log Message
Null dereference in DocumentLoader::commitData()
https://bugs.webkit.org/show_bug.cgi?id=221097
Patch by Julian Gonzalez <julian_a_gonza...@apple.com> on 2021-02-04
Reviewed by Alex Christensen.
Source/WebCore:
Be careful to check the return value of DocumentWriter::begin()
before calling DocumentWriter::setDocumentWasLoadedAsPartOfNavigation().
This work involves exposing MediaDocument.h.
Test: loader/cancel-load-crash.html
* Headers.cmake:
* WebCore.xcodeproj/project.pbxproj:
* loader/DocumentLoader.cpp:
(WebCore::DocumentLoader::commitData):
Source/WebKit:
As we add another return-early case to commitData(),
WebFrameLoaderClient::committedLoad() has to allow for
the absence of a Document.
* WebProcess/WebCoreSupport/WebFrameLoaderClient.cpp:
(WebKit::WebFrameLoaderClient::committedLoad):
LayoutTests:
Add a test that catches the null dereference
in DocumentLoader::commitData().
* loader/cancel-load-crash-expected.txt: Added.
* loader/cancel-load-crash.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (272395 => 272396)
--- trunk/LayoutTests/ChangeLog 2021-02-05 00:15:30 UTC (rev 272395)
+++ trunk/LayoutTests/ChangeLog 2021-02-05 00:17:06 UTC (rev 272396)
@@ -1,3 +1,16 @@
+2021-02-04 Julian Gonzalez <julian_a_gonza...@apple.com>
+
+ Null dereference in DocumentLoader::commitData()
+ https://bugs.webkit.org/show_bug.cgi?id=221097
+
+ Reviewed by Alex Christensen.
+
+ Add a test that catches the null dereference
+ in DocumentLoader::commitData().
+
+ * loader/cancel-load-crash-expected.txt: Added.
+ * loader/cancel-load-crash.html: Added.
+
2021-02-04 Chris Dumez <cdu...@apple.com>
Potential crash under BaseAudioContext's toJSNewlyCreated()
Added: trunk/LayoutTests/loader/cancel-load-crash-expected.txt (0 => 272396)
--- trunk/LayoutTests/loader/cancel-load-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/loader/cancel-load-crash-expected.txt 2021-02-05 00:17:06 UTC (rev 272396)
@@ -0,0 +1,2 @@
+This test passes if we do not crash. PASS
+
Added: trunk/LayoutTests/loader/cancel-load-crash.html (0 => 272396)
--- trunk/LayoutTests/loader/cancel-load-crash.html (rev 0)
+++ trunk/LayoutTests/loader/cancel-load-crash.html 2021-02-05 00:17:06 UTC (rev 272396)
@@ -0,0 +1,37 @@
+<!DOCTYPE html><!-- webkit-test-runner [ dumpJSConsoleLogInStdErr=true ] -->
+<head>
+<script>
+function setup() {
+ if (window.testRunner)
+ testRunner.dumpAsText();
+
+ iframe.src = ""
+ h1._onsuspend_ = eventH1;
+ div = document.createElement("div");
+ window.requestIdleCallback(eventWindow, {});
+}
+function eventH1() {
+ document.all[0].appendChild(select);
+}
+function eventSelect() {
+ document.all[0].appendChild(iframe);
+}
+function eventWindow() {
+ window[0].focus();
+ window[0]._onpagehide_ = h1.onsuspend;
+ select.autofocus = true;
+}
+</script>
+</head>
+<body _onload_=setup()>
+This test passes if we do not crash. PASS
+<iframe id="iframe"></iframe>
+<dl>
+<dt>
+<h1 id="h1">
+<select id="select" _onfocus_="eventSelect()">-</select>
+</h1>
+</dt>
+</dl>
+</body>
+</html>
\ No newline at end of file
Modified: trunk/Source/WebCore/ChangeLog (272395 => 272396)
--- trunk/Source/WebCore/ChangeLog 2021-02-05 00:15:30 UTC (rev 272395)
+++ trunk/Source/WebCore/ChangeLog 2021-02-05 00:17:06 UTC (rev 272396)
@@ -1,3 +1,21 @@
+2021-02-04 Julian Gonzalez <julian_a_gonza...@apple.com>
+
+ Null dereference in DocumentLoader::commitData()
+ https://bugs.webkit.org/show_bug.cgi?id=221097
+
+ Reviewed by Alex Christensen.
+
+ Be careful to check the return value of DocumentWriter::begin()
+ before calling DocumentWriter::setDocumentWasLoadedAsPartOfNavigation().
+ This work involves exposing MediaDocument.h.
+
+ Test: loader/cancel-load-crash.html
+
+ * Headers.cmake:
+ * WebCore.xcodeproj/project.pbxproj:
+ * loader/DocumentLoader.cpp:
+ (WebCore::DocumentLoader::commitData):
+
2021-02-04 Chris Dumez <cdu...@apple.com>
Potential crash under BaseAudioContext's toJSNewlyCreated()
Modified: trunk/Source/WebCore/Headers.cmake (272395 => 272396)
--- trunk/Source/WebCore/Headers.cmake 2021-02-05 00:15:30 UTC (rev 272395)
+++ trunk/Source/WebCore/Headers.cmake 2021-02-05 00:17:06 UTC (rev 272396)
@@ -692,6 +692,7 @@
html/LinkIconType.h
html/LinkRelAttribute.h
html/MediaControllerInterface.h
+ html/MediaDocument.h
html/MediaElementSession.h
html/MediaError.h
html/PluginDocument.h
Modified: trunk/Source/WebCore/WebCore.xcodeproj/project.pbxproj (272395 => 272396)
--- trunk/Source/WebCore/WebCore.xcodeproj/project.pbxproj 2021-02-05 00:15:30 UTC (rev 272395)
+++ trunk/Source/WebCore/WebCore.xcodeproj/project.pbxproj 2021-02-05 00:17:06 UTC (rev 272396)
@@ -2935,7 +2935,7 @@
9711460414EF009A00674FD9 /* NavigatorGeolocation.h in Headers */ = {isa = PBXBuildFile; fileRef = 9711460114EF009A00674FD9 /* NavigatorGeolocation.h */; };
97205AB0123928CA00B17380 /* FTPDirectoryDocument.h in Headers */ = {isa = PBXBuildFile; fileRef = 97205AAE123928CA00B17380 /* FTPDirectoryDocument.h */; };
97205AB61239291000B17380 /* ImageDocument.h in Headers */ = {isa = PBXBuildFile; fileRef = 97205AB21239291000B17380 /* ImageDocument.h */; settings = {ATTRIBUTES = (Private, ); }; };
- 97205AB81239291000B17380 /* MediaDocument.h in Headers */ = {isa = PBXBuildFile; fileRef = 97205AB41239291000B17380 /* MediaDocument.h */; };
+ 97205AB81239291000B17380 /* MediaDocument.h in Headers */ = {isa = PBXBuildFile; fileRef = 97205AB41239291000B17380 /* MediaDocument.h */; settings = {ATTRIBUTES = (Private, ); }; };
97205ABC1239292700B17380 /* PluginDocument.h in Headers */ = {isa = PBXBuildFile; fileRef = 97205ABA1239292700B17380 /* PluginDocument.h */; settings = {ATTRIBUTES = (Private, ); }; };
9728C3141268E4390041E89B /* MarkupAccumulator.h in Headers */ = {isa = PBXBuildFile; fileRef = 9728C3121268E4390041E89B /* MarkupAccumulator.h */; };
973889A1116EA9DC00ADF313 /* DocumentWriter.h in Headers */ = {isa = PBXBuildFile; fileRef = 9738899F116EA9DC00ADF313 /* DocumentWriter.h */; settings = {ATTRIBUTES = (Private, ); }; };
Modified: trunk/Source/WebCore/loader/DocumentLoader.cpp (272395 => 272396)
--- trunk/Source/WebCore/loader/DocumentLoader.cpp 2021-02-05 00:15:30 UTC (rev 272395)
+++ trunk/Source/WebCore/loader/DocumentLoader.cpp 2021-02-05 00:17:06 UTC (rev 272396)
@@ -1137,6 +1137,9 @@
if (!m_gotFirstByte) {
m_gotFirstByte = true;
bool hasBegun = m_writer.begin(documentURL(), false);
+ if (!hasBegun)
+ return;
+
m_writer.setDocumentWasLoadedAsPartOfNavigation();
auto* documentOrNull = m_frame ? m_frame->document() : nullptr;
@@ -1204,8 +1207,6 @@
}
m_writer.setEncoding(encoding, userChosen);
-
- RELEASE_ASSERT(hasBegun);
}
#if ENABLE(CONTENT_EXTENSIONS)
Modified: trunk/Source/WebKit/ChangeLog (272395 => 272396)
--- trunk/Source/WebKit/ChangeLog 2021-02-05 00:15:30 UTC (rev 272395)
+++ trunk/Source/WebKit/ChangeLog 2021-02-05 00:17:06 UTC (rev 272396)
@@ -1,3 +1,17 @@
+2021-02-04 Julian Gonzalez <julian_a_gonza...@apple.com>
+
+ Null dereference in DocumentLoader::commitData()
+ https://bugs.webkit.org/show_bug.cgi?id=221097
+
+ Reviewed by Alex Christensen.
+
+ As we add another return-early case to commitData(),
+ WebFrameLoaderClient::committedLoad() has to allow for
+ the absence of a Document.
+
+ * WebProcess/WebCoreSupport/WebFrameLoaderClient.cpp:
+ (WebKit::WebFrameLoaderClient::committedLoad):
+
2021-02-04 Kate Cheney <katherine_che...@apple.com>
Link libnetworkextension at compile time
Modified: trunk/Source/WebKit/WebProcess/WebCoreSupport/WebFrameLoaderClient.cpp (272395 => 272396)
--- trunk/Source/WebKit/WebProcess/WebCoreSupport/WebFrameLoaderClient.cpp 2021-02-05 00:15:30 UTC (rev 272395)
+++ trunk/Source/WebKit/WebProcess/WebCoreSupport/WebFrameLoaderClient.cpp 2021-02-05 00:17:06 UTC (rev 272396)
@@ -77,6 +77,7 @@
#include <WebCore/HistoryController.h>
#include <WebCore/HistoryItem.h>
#include <WebCore/MIMETypeRegistry.h>
+#include <WebCore/MediaDocument.h>
#include <WebCore/MouseEvent.h>
#include <WebCore/NotImplemented.h>
#include <WebCore/Page.h>
@@ -1147,7 +1148,7 @@
// If the document is a stand-alone media document, now is the right time to cancel the WebKit load.
// FIXME: This code should be shared across all ports. <http://webkit.org/b/48762>.
- if (m_frame->coreFrame()->document()->isMediaDocument())
+ if (is<MediaDocument>(m_frame->coreFrame()->document()))
loader->cancelMainResourceLoad(pluginWillHandleLoadError(loader->response()));
// Calling commitData did not create the plug-in view.
