Crash under WebPage::beginPrinting when m_printContext becomes null due to synchronou...
authoraestes@apple.com <aestes@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 26 Sep 2019 19:20:22 +0000 (19:20 +0000)
committeraestes@apple.com <aestes@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 26 Sep 2019 19:20:22 +0000 (19:20 +0000)
https://bugs.webkit.org/show_bug.cgi?id=202171
<rdar://problem/49731211>

Reviewed by Tim Horton.

Speculatively fix a null pointer dereference crash in WebPage::beginPrinting.

WebPage::beginPrinting creates a PrintContext, stores it in m_printContext, then calls
PrintContext::begin which forces a synchronous, paginated layout. If a post-layout task
executes script, that might result in the WebPage being closed and m_printContext being set
to nullptr.

Guard against this in WebPage::beginPrinting by adding a null check before calling
PrintContext::computePageRects.

* WebProcess/WebPage/WebPage.cpp:
(WebKit::WebPage::beginPrinting):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@250394 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/WebKit/ChangeLog
Source/WebKit/WebProcess/WebPage/WebPage.cpp

index cd7805d..161ddcc 100644 (file)
@@ -1,3 +1,24 @@
+2019-09-26  Andy Estes  <aestes@apple.com>
+
+        Crash under WebPage::beginPrinting when m_printContext becomes null due to synchronous layout
+        https://bugs.webkit.org/show_bug.cgi?id=202171
+        <rdar://problem/49731211>
+
+        Reviewed by Tim Horton.
+
+        Speculatively fix a null pointer dereference crash in WebPage::beginPrinting.
+
+        WebPage::beginPrinting creates a PrintContext, stores it in m_printContext, then calls
+        PrintContext::begin which forces a synchronous, paginated layout. If a post-layout task
+        executes script, that might result in the WebPage being closed and m_printContext being set
+        to nullptr.
+
+        Guard against this in WebPage::beginPrinting by adding a null check before calling
+        PrintContext::computePageRects.
+
+        * WebProcess/WebPage/WebPage.cpp:
+        (WebKit::WebPage::beginPrinting):
+
 2019-09-26  Kate Cheney  <katherine_cheney@apple.com>
 
         Enable LayoutTests using ResourceLoadStatistics SQLite backend (195420)
index dfed91e..9675c2c 100644 (file)
@@ -4660,6 +4660,14 @@ void WebPage::beginPrinting(FrameIdentifier frameID, const PrintInfo& printInfo)
     auto computedPageSize = m_printContext->computedPageSize(FloatSize(printInfo.availablePaperWidth, printInfo.availablePaperHeight), printInfo.margin);
     m_printContext->begin(computedPageSize.width(), computedPageSize.height());
 
+    // PrintContext::begin() performed a synchronous layout which might have executed a
+    // script that closed the WebPage, clearing m_printContext.
+    // See <rdar://problem/49731211> for cases of this happening.
+    if (!m_printContext) {
+        unfreezeLayerTree(LayerTreeFreezeReason::Printing);
+        return;
+    }
+
     float fullPageHeight;
     m_printContext->computePageRects(FloatRect(0, 0, computedPageSize.width(), computedPageSize.height()), 0, 0, printInfo.pageSetupScaleFactor, fullPageHeight, true);