[webkit-changes] [208292] trunk

Wed, 02 Nov 2016 11:10:38 -0700

Title: [208292] trunk
Revision
208292
Author
bfulg...@apple.com
Date
2016-11-02 11:11:13 -0700 (Wed, 02 Nov 2016)

Log Message

WebKit nullptr dereference Archive Subframe
https://bugs.webkit.org/show_bug.cgi?id=164281
<rdar://problem/28943006>

Reviewed by Andy Estes.

Source/WebCore:

If the page is torn down during a load, we can attempt to use a deallocated
(and nulled) document loader. Most places that use the "active document loader"
null-check it before using, but there was one place that did not. This patch
fixes that oversight.

Test: fast/dom/crash-with-bad-url.html

* loader/FrameLoader.cpp:
(WebCore::FrameLoader::loadURLIntoChildFrame): Check that the active document
loader is non-null before using.

LayoutTests:

* fast/dom/crash-with-bad-url-expected.txt: Added.
* fast/dom/crash-with-bad-url.html: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (208291 => 208292)


--- trunk/LayoutTests/ChangeLog	2016-11-02 18:07:32 UTC (rev 208291)
+++ trunk/LayoutTests/ChangeLog	2016-11-02 18:11:13 UTC (rev 208292)
@@ -1,3 +1,14 @@
+2016-11-02  Brent Fulgham  <bfulg...@apple.com>
+
+        WebKit nullptr dereference Archive Subframe
+        https://bugs.webkit.org/show_bug.cgi?id=164281
+        <rdar://problem/28943006>
+
+        Reviewed by Andy Estes.
+
+        * fast/dom/crash-with-bad-url-expected.txt: Added.
+        * fast/dom/crash-with-bad-url.html: Added.
+
 2016-11-02  Ryan Haddad  <ryanhad...@apple.com>
 
         Marking media/modern-media-controls/scrubber-support/scrubber-support-drag.html as flaky.

Added: trunk/LayoutTests/fast/dom/crash-with-bad-url-expected.txt (0 => 208292)


--- trunk/LayoutTests/fast/dom/crash-with-bad-url-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/dom/crash-with-bad-url-expected.txt	2016-11-02 18:11:13 UTC (rev 208292)
@@ -0,0 +1,7 @@
+ALERT: 0
+This tests that WebKit properly handles sub-frames with invalid URLs. It passes if it does not crash.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+

Added: trunk/LayoutTests/fast/dom/crash-with-bad-url.html (0 => 208292)


--- trunk/LayoutTests/fast/dom/crash-with-bad-url.html	                        (rev 0)
+++ trunk/LayoutTests/fast/dom/crash-with-bad-url.html	2016-11-02 18:11:13 UTC (rev 208292)
@@ -0,0 +1,23 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <script src=""
+    <script>
+    description('This tests that WebKit properly handles sub-frames with invalid URLs. It passes if it does not crash.');
+    if (window.testRunner)
+        testRunner.waitUntilDone();
+
+    var lscript = 'script>'
+
+    function runTest() {
+        var doc = document.getElementById('target').contentWindow.document;
+        doc.open();
+        doc.write("<body _onload_='test()'><p>Test Content</p><script>function test() { var doc=document.getElementById('target').contentWindow.document; doc.open(); doc.write('<img src=x _onerror_=alert(0)>'); doc.close(); if (window.testRunner) { testRunner.notifyDone(); } }</" + lscript + "<iframe id='target' src=''></body>");
+        doc.close();
+    }
+    </script>
+</head>
+<body _onload_="runTest()">
+    <iframe id='target' src="" width="500" height="500"></iframe>
+</body>
+</html>
\ No newline at end of file

Modified: trunk/Source/WebCore/ChangeLog (208291 => 208292)


--- trunk/Source/WebCore/ChangeLog	2016-11-02 18:07:32 UTC (rev 208291)
+++ trunk/Source/WebCore/ChangeLog	2016-11-02 18:11:13 UTC (rev 208292)
@@ -1,3 +1,22 @@
+2016-11-02  Brent Fulgham  <bfulg...@apple.com>
+
+        WebKit nullptr dereference Archive Subframe
+        https://bugs.webkit.org/show_bug.cgi?id=164281
+        <rdar://problem/28943006>
+
+        Reviewed by Andy Estes.
+
+        If the page is torn down during a load, we can attempt to use a deallocated
+        (and nulled) document loader. Most places that use the "active document loader"
+        null-check it before using, but there was one place that did not. This patch
+        fixes that oversight.
+
+        Test: fast/dom/crash-with-bad-url.html
+
+        * loader/FrameLoader.cpp:
+        (WebCore::FrameLoader::loadURLIntoChildFrame): Check that the active document
+        loader is non-null before using.
+
 2016-11-02  Dave Hyatt  <hy...@apple.com>
 
         [CSS Parser] Support scroll-snap-* properties

Modified: trunk/Source/WebCore/loader/FrameLoader.cpp (208291 => 208292)


--- trunk/Source/WebCore/loader/FrameLoader.cpp	2016-11-02 18:07:32 UTC (rev 208291)
+++ trunk/Source/WebCore/loader/FrameLoader.cpp	2016-11-02 18:11:13 UTC (rev 208292)
@@ -866,7 +866,8 @@
     ASSERT(childFrame);
 
 #if ENABLE(WEB_ARCHIVE) || ENABLE(MHTML)
-    auto subframeArchive = activeDocumentLoader()->popArchiveForSubframe(childFrame->tree().uniqueName(), url);
+    auto activeLoader = activeDocumentLoader();
+    auto subframeArchive = activeLoader ? activeLoader->popArchiveForSubframe(childFrame->tree().uniqueName(), url) : nullptr;
     if (subframeArchive) {
         childFrame->loader().loadArchive(WTFMove(subframeArchive));
         return;

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to