Null Ptr Deref @ WebCore::DocumentLoader::clearMainResourceLoader
authorachristensen@apple.com <achristensen@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 15 Jan 2020 18:40:56 +0000 (18:40 +0000)
committerachristensen@apple.com <achristensen@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 15 Jan 2020 18:40:56 +0000 (18:40 +0000)
https://bugs.webkit.org/show_bug.cgi?id=206204

Source/WebCore:

Patch by Pinki Gyanchandani <pgyanchandani@apple.com> on 2020-01-15
Reviewed by Alex Christensen.

Test: loader/change-src-during-iframe-load-crash.html

* loader/DocumentLoader.cpp:
(WebCore::DocumentLoader::frameLoader const):
(WebCore::DocumentLoader::clearMainResourceLoader):

LayoutTests:

Added a NULL pointer check for FrameLoader. If FramLoader is NULL then return instead of
accessing activeDocumentLoader.

Patch by Pinki Gyanchandani <pgyanchandani@apple.com> on 2020-01-15
Reviewed by Alex Christensen.

* loader/change-src-during-iframe-load-crash-expected.txt: Added.
* loader/change-src-during-iframe-load-crash.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@254576 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/http/tests/security/http-0.9/xhr-blocked-expected.txt
LayoutTests/loader/change-src-during-iframe-load-crash-expected.txt [new file with mode: 0644]
LayoutTests/loader/change-src-during-iframe-load-crash.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/loader/DocumentLoader.cpp

index 76f0ad3..6f29606 100644 (file)
@@ -1,3 +1,16 @@
+2020-01-15  Pinki Gyanchandani  <pgyanchandani@apple.com>
+
+        Null Ptr Deref @ WebCore::DocumentLoader::clearMainResourceLoader
+        https://bugs.webkit.org/show_bug.cgi?id=206204
+
+        Added a NULL pointer check for FrameLoader. If FramLoader is NULL then return instead of
+        accessing activeDocumentLoader.
+
+        Reviewed by Alex Christensen.
+
+        * loader/change-src-during-iframe-load-crash-expected.txt: Added.
+        * loader/change-src-during-iframe-load-crash.html: Added.
+
 2020-01-15  Jer Noble  <jer.noble@apple.com>
 
         Revert fullscreen CSS quirk for reddit.com; add width and height style to fullscreen.css.
diff --git a/LayoutTests/loader/change-src-during-iframe-load-crash-expected.txt b/LayoutTests/loader/change-src-during-iframe-load-crash-expected.txt
new file mode 100644 (file)
index 0000000..74baf84
--- /dev/null
@@ -0,0 +1 @@
+The test is declared pass if there is no crash observed.
diff --git a/LayoutTests/loader/change-src-during-iframe-load-crash.html b/LayoutTests/loader/change-src-during-iframe-load-crash.html
new file mode 100644 (file)
index 0000000..b8d675f
--- /dev/null
@@ -0,0 +1,20 @@
+<html>
+<script>
+function load() {
+    document.body.innerHTML = 'The test is declared pass if there is no crash observed.';
+    if (window.testRunner) {
+        testRunner.dumpAsText();
+        testRunner.waitUntilDone();
+    }
+}
+
+function eventhandler3() {
+    iframe1.srcdoc = "x";
+    if (window.testRunner)
+        testRunner.notifyDone();
+}
+
+</script>
+<body onload="load()">
+<iframe id="iframe1" src="data:text/html,foo">a</iframe>
+<iframe id="iframe2" onload="eventhandler3()" srcdoc="y">
index f05d6e4..bc14c28 100644 (file)
@@ -1,3 +1,16 @@
+2020-01-15  Pinki Gyanchandani  <pgyanchandani@apple.com>
+
+        Null Ptr Deref @ WebCore::DocumentLoader::clearMainResourceLoader
+        https://bugs.webkit.org/show_bug.cgi?id=206204
+
+        Reviewed by Alex Christensen.
+
+        Test: loader/change-src-during-iframe-load-crash.html
+
+        * loader/DocumentLoader.cpp:
+        (WebCore::DocumentLoader::frameLoader const):
+        (WebCore::DocumentLoader::clearMainResourceLoader):
+
 2020-01-15  Jer Noble  <jer.noble@apple.com>
 
         Revert fullscreen CSS quirk for reddit.com; add width and height style to fullscreen.css.
index be27ef1..674d1fb 100644 (file)
@@ -1272,7 +1272,11 @@ void DocumentLoader::clearMainResourceLoader()
 {
     m_loadingMainResource = false;
 
-    if (this == frameLoader()->activeDocumentLoader())
+    auto* frameLoader = this->frameLoader();
+    if (!frameLoader)
+        return;
+
+    if (this == frameLoader->activeDocumentLoader())
         checkLoadComplete();
 }