buildObjectForEventListener should not call into JSC with a null ExecState
authorkeith_miller@apple.com <keith_miller@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 22 Apr 2016 21:24:27 +0000 (21:24 +0000)
committerkeith_miller@apple.com <keith_miller@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 22 Apr 2016 21:24:27 +0000 (21:24 +0000)
https://bugs.webkit.org/show_bug.cgi?id=156923

Reviewed by Joseph Pecoraro.

If a user had disabled JavaScript on their page then the inspector tried to
add an event listener we would fail to create an ExecState. Since we didn't
check this ExecState was valid we would then attempt to stringify the value,
which would cause JSC to crash.

* inspector/InspectorDOMAgent.cpp:
(WebCore::InspectorDOMAgent::buildObjectForEventListener):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@199905 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/WebCore/ChangeLog
Source/WebCore/inspector/InspectorDOMAgent.cpp

index 656ffab..4eae811 100644 (file)
@@ -1,3 +1,18 @@
+2016-04-22  Keith Miller  <keith_miller@apple.com>
+
+        buildObjectForEventListener should not call into JSC with a null ExecState
+        https://bugs.webkit.org/show_bug.cgi?id=156923
+
+        Reviewed by Joseph Pecoraro.
+
+        If a user had disabled JavaScript on their page then the inspector tried to
+        add an event listener we would fail to create an ExecState. Since we didn't
+        check this ExecState was valid we would then attempt to stringify the value,
+        which would cause JSC to crash.
+
+        * inspector/InspectorDOMAgent.cpp:
+        (WebCore::InspectorDOMAgent::buildObjectForEventListener):
+
 2016-04-22  Dean Jackson  <dino@apple.com>
 
         Yet another attempt at fixing Windows.
index 306d3d3..b79c0d7 100644 (file)
@@ -1472,7 +1472,7 @@ Ref<Inspector::Protocol::DOM::EventListener> InspectorDOMAgent::buildObjectForEv
         JSC::JSLockHolder lock(scriptListener->isolatedWorld().vm());
         state = execStateFromNode(scriptListener->isolatedWorld(), &node->document());
         handler = scriptListener->jsFunction(&node->document());
-        if (handler) {
+        if (handler && state) {
             body = handler->toString(state)->value(state);
             if (auto function = JSC::jsDynamicCast<JSC::JSFunction*>(handler)) {
                 if (!function->isHostOrBuiltinFunction()) {