[webkit-changes] [199905] trunk/Source/WebCore

[keith_miller]

Title: [199905] trunk/Source/WebCore

Revision

199905

Author

keith_mil...@apple.com

Date

2016-04-22 14:24:27 -0700 (Fri, 22 Apr 2016)

Log Message

buildObjectForEventListener should not call into JSC with a null ExecState
https://bugs.webkit.org/show_bug.cgi?id=156923

Reviewed by Joseph Pecoraro.

If a user had disabled _javascript_ on their page then the inspector tried to
add an event listener we would fail to create an ExecState. Since we didn't
check this ExecState was valid we would then attempt to stringify the value,
which would cause JSC to crash.

* inspector/InspectorDOMAgent.cpp:
(WebCore::InspectorDOMAgent::buildObjectForEventListener):

Modified Paths

• trunk/Source/WebCore/ChangeLog
• trunk/Source/WebCore/inspector/InspectorDOMAgent.cpp

Diff

Modified: trunk/Source/WebCore/ChangeLog (199904 => 199905)

--- trunk/Source/WebCore/ChangeLog	2016-04-22 21:22:52 UTC (rev 199904)
+++ trunk/Source/WebCore/ChangeLog	2016-04-22 21:24:27 UTC (rev 199905)
@@ -1,3 +1,18 @@
+2016-04-22  Keith Miller  <keith_mil...@apple.com>
+
+        buildObjectForEventListener should not call into JSC with a null ExecState
+        https://bugs.webkit.org/show_bug.cgi?id=156923
+
+        Reviewed by Joseph Pecoraro.
+
+        If a user had disabled _javascript_ on their page then the inspector tried to
+        add an event listener we would fail to create an ExecState. Since we didn't
+        check this ExecState was valid we would then attempt to stringify the value,
+        which would cause JSC to crash.
+
+        * inspector/InspectorDOMAgent.cpp:
+        (WebCore::InspectorDOMAgent::buildObjectForEventListener):
+
 2016-04-22  Dean Jackson  <d...@apple.com>
 
         Yet another attempt at fixing Windows.

Modified: trunk/Source/WebCore/inspector/InspectorDOMAgent.cpp (199904 => 199905)

--- trunk/Source/WebCore/inspector/InspectorDOMAgent.cpp	2016-04-22 21:22:52 UTC (rev 199904)
+++ trunk/Source/WebCore/inspector/InspectorDOMAgent.cpp	2016-04-22 21:24:27 UTC (rev 199905)
@@ -1472,7 +1472,7 @@
         JSC::JSLockHolder lock(scriptListener->isolatedWorld().vm());
         state = execStateFromNode(scriptListener->isolatedWorld(), &node->document());
         handler = scriptListener->jsFunction(&node->document());
-        if (handler) {
+        if (handler && state) {
             body = handler->toString(state)->value(state);
             if (auto function = JSC::jsDynamicCast<JSC::JSFunction*>(handler)) {
                 if (!function->isHostOrBuiltinFunction()) {

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes