Skip to site navigation (Press enter)

[webkit-changes] [238905] trunk/Source/WebCore

cdumez Wed, 05 Dec 2018 13:00:59 -0800

Title: [238905] trunk/Source/WebCore

Revision: 238905
Author: [email protected]
Date: 2018-12-05 12:58:55 -0800 (Wed, 05 Dec 2018)

Log Message

Crash under WebCore::cachedDocumentWrapper()
https://bugs.webkit.org/show_bug.cgi?id=192421
<rdar://problem/37114163>


Reviewed by Alex Christensen.

Fix potential null defererence of the value returned by toJSDOMWindow(). For example,
if the window is frameless, it would return null.

* bindings/js/JSDocumentCustom.cpp:
(WebCore::cachedDocumentWrapper):

Modified Paths

trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/bindings/js/JSDocumentCustom.cpp

Diff

Modified: trunk/Source/WebCore/ChangeLog (238904 => 238905)


--- trunk/Source/WebCore/ChangeLog	2018-12-05 20:21:54 UTC (rev 238904)
+++ trunk/Source/WebCore/ChangeLog	2018-12-05 20:58:55 UTC (rev 238905)
@@ -1,3 +1,17 @@
+2018-12-05  Chris Dumez  <[email protected]>
+
+        Crash under WebCore::cachedDocumentWrapper()
+        https://bugs.webkit.org/show_bug.cgi?id=192421
+        <rdar://problem/37114163>
+
+        Reviewed by Alex Christensen.
+
+        Fix potential null defererence of the value returned by toJSDOMWindow(). For example,
+        if the window is frameless, it would return null.
+
+        * bindings/js/JSDocumentCustom.cpp:
+        (WebCore::cachedDocumentWrapper):
+
 2018-12-05  Eric Carlson  <[email protected]>
 
         [MediaStream] Cleanup up Mac screen capture class

Modified: trunk/Source/WebCore/bindings/js/JSDocumentCustom.cpp (238904 => 238905)


--- trunk/Source/WebCore/bindings/js/JSDocumentCustom.cpp	2018-12-05 20:21:54 UTC (rev 238904)
+++ trunk/Source/WebCore/bindings/js/JSDocumentCustom.cpp	2018-12-05 20:58:55 UTC (rev 238905)
@@ -57,8 +57,12 @@
     if (!window)
         return nullptr;
 
+    auto* documentGlobalObject = toJSDOMWindow(state.vm(), toJS(&state, *window));
+    if (!documentGlobalObject)
+        return nullptr;
+
     // Creating a wrapper for domWindow might have created a wrapper for document as well.
-    return getCachedWrapper(toJSDOMWindow(state.vm(), toJS(&state, *window))->world(), document);
+    return getCachedWrapper(documentGlobalObject->world(), document);
 }
 
 void reportMemoryForDocumentIfFrameless(ExecState& state, Document& document)

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes