Title: [208292] trunk
- Revision
- 208292
- Author
- bfulg...@apple.com
- Date
- 2016-11-02 11:11:13 -0700 (Wed, 02 Nov 2016)
Log Message
WebKit nullptr dereference Archive Subframe
https://bugs.webkit.org/show_bug.cgi?id=164281
<rdar://problem/28943006>
Reviewed by Andy Estes.
Source/WebCore:
If the page is torn down during a load, we can attempt to use a deallocated
(and nulled) document loader. Most places that use the "active document loader"
null-check it before using, but there was one place that did not. This patch
fixes that oversight.
Test: fast/dom/crash-with-bad-url.html
* loader/FrameLoader.cpp:
(WebCore::FrameLoader::loadURLIntoChildFrame): Check that the active document
loader is non-null before using.
LayoutTests:
* fast/dom/crash-with-bad-url-expected.txt: Added.
* fast/dom/crash-with-bad-url.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (208291 => 208292)
--- trunk/LayoutTests/ChangeLog 2016-11-02 18:07:32 UTC (rev 208291)
+++ trunk/LayoutTests/ChangeLog 2016-11-02 18:11:13 UTC (rev 208292)
@@ -1,3 +1,14 @@
+2016-11-02 Brent Fulgham <bfulg...@apple.com>
+
+ WebKit nullptr dereference Archive Subframe
+ https://bugs.webkit.org/show_bug.cgi?id=164281
+ <rdar://problem/28943006>
+
+ Reviewed by Andy Estes.
+
+ * fast/dom/crash-with-bad-url-expected.txt: Added.
+ * fast/dom/crash-with-bad-url.html: Added.
+
2016-11-02 Ryan Haddad <ryanhad...@apple.com>
Marking media/modern-media-controls/scrubber-support/scrubber-support-drag.html as flaky.
Added: trunk/LayoutTests/fast/dom/crash-with-bad-url-expected.txt (0 => 208292)
--- trunk/LayoutTests/fast/dom/crash-with-bad-url-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/dom/crash-with-bad-url-expected.txt 2016-11-02 18:11:13 UTC (rev 208292)
@@ -0,0 +1,7 @@
+ALERT: 0
+This tests that WebKit properly handles sub-frames with invalid URLs. It passes if it does not crash.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+
Added: trunk/LayoutTests/fast/dom/crash-with-bad-url.html (0 => 208292)
--- trunk/LayoutTests/fast/dom/crash-with-bad-url.html (rev 0)
+++ trunk/LayoutTests/fast/dom/crash-with-bad-url.html 2016-11-02 18:11:13 UTC (rev 208292)
@@ -0,0 +1,23 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <script src=""
+ <script>
+ description('This tests that WebKit properly handles sub-frames with invalid URLs. It passes if it does not crash.');
+ if (window.testRunner)
+ testRunner.waitUntilDone();
+
+ var lscript = 'script>'
+
+ function runTest() {
+ var doc = document.getElementById('target').contentWindow.document;
+ doc.open();
+ doc.write("<body _onload_='test()'><p>Test Content</p><script>function test() { var doc=document.getElementById('target').contentWindow.document; doc.open(); doc.write('<img src=x _onerror_=alert(0)>'); doc.close(); if (window.testRunner) { testRunner.notifyDone(); } }</" + lscript + "<iframe id='target' src=''></body>");
+ doc.close();
+ }
+ </script>
+</head>
+<body _onload_="runTest()">
+ <iframe id='target' src="" width="500" height="500"></iframe>
+</body>
+</html>
\ No newline at end of file
Modified: trunk/Source/WebCore/ChangeLog (208291 => 208292)
--- trunk/Source/WebCore/ChangeLog 2016-11-02 18:07:32 UTC (rev 208291)
+++ trunk/Source/WebCore/ChangeLog 2016-11-02 18:11:13 UTC (rev 208292)
@@ -1,3 +1,22 @@
+2016-11-02 Brent Fulgham <bfulg...@apple.com>
+
+ WebKit nullptr dereference Archive Subframe
+ https://bugs.webkit.org/show_bug.cgi?id=164281
+ <rdar://problem/28943006>
+
+ Reviewed by Andy Estes.
+
+ If the page is torn down during a load, we can attempt to use a deallocated
+ (and nulled) document loader. Most places that use the "active document loader"
+ null-check it before using, but there was one place that did not. This patch
+ fixes that oversight.
+
+ Test: fast/dom/crash-with-bad-url.html
+
+ * loader/FrameLoader.cpp:
+ (WebCore::FrameLoader::loadURLIntoChildFrame): Check that the active document
+ loader is non-null before using.
+
2016-11-02 Dave Hyatt <hy...@apple.com>
[CSS Parser] Support scroll-snap-* properties
Modified: trunk/Source/WebCore/loader/FrameLoader.cpp (208291 => 208292)
--- trunk/Source/WebCore/loader/FrameLoader.cpp 2016-11-02 18:07:32 UTC (rev 208291)
+++ trunk/Source/WebCore/loader/FrameLoader.cpp 2016-11-02 18:11:13 UTC (rev 208292)
@@ -866,7 +866,8 @@
ASSERT(childFrame);
#if ENABLE(WEB_ARCHIVE) || ENABLE(MHTML)
- auto subframeArchive = activeDocumentLoader()->popArchiveForSubframe(childFrame->tree().uniqueName(), url);
+ auto activeLoader = activeDocumentLoader();
+ auto subframeArchive = activeLoader ? activeLoader->popArchiveForSubframe(childFrame->tree().uniqueName(), url) : nullptr;
if (subframeArchive) {
childFrame->loader().loadArchive(WTFMove(subframeArchive));
return;
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes