WebKit Bugzilla
Attachment 356638 Details for
Bug 192421
: Crash under WebCore::cachedDocumentWrapper()
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch
bug-192421-20181205121430.patch (text/plain), 1.77 KB, created by
Chris Dumez
on 2018-12-05 12:14:31 PST
(
hide
)
Description:
Patch
Filename:
MIME Type:
Creator:
Chris Dumez
Created:
2018-12-05 12:14:31 PST
Size:
1.77 KB
patch
obsolete
>Subversion Revision: 238893 >diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog >index 55139e2d1c57a9cea9e53b082a6b073ea3cda0c4..82f4f115f3a18a17b9a2a9bbbe1c553143b61423 100644 >--- a/Source/WebCore/ChangeLog >+++ b/Source/WebCore/ChangeLog >@@ -1,3 +1,17 @@ >+2018-12-05 Chris Dumez <cdumez@apple.com> >+ >+ Crash under WebCore::cachedDocumentWrapper() >+ https://bugs.webkit.org/show_bug.cgi?id=192421 >+ <rdar://problem/37114163> >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ Fix potential null defererence of the value returned by toJSDOMWindow(). For example, >+ if the window is frameless, it would return null. >+ >+ * bindings/js/JSDocumentCustom.cpp: >+ (WebCore::cachedDocumentWrapper): >+ > 2018-12-05 Alicia Boya GarcÃa <aboya@igalia.com> > > [MSE][GStreamer] Remove the AppendPipeline state machine >diff --git a/Source/WebCore/bindings/js/JSDocumentCustom.cpp b/Source/WebCore/bindings/js/JSDocumentCustom.cpp >index 5687e4d78c62d08f194b93824646979699c17f8d..42c22bf2cc19628f10a1bcef15a8b553a526231f 100644 >--- a/Source/WebCore/bindings/js/JSDocumentCustom.cpp >+++ b/Source/WebCore/bindings/js/JSDocumentCustom.cpp >@@ -57,8 +57,12 @@ JSObject* cachedDocumentWrapper(ExecState& state, JSDOMGlobalObject& globalObjec > if (!window) > return nullptr; > >+ auto* documentGlobalObject = toJSDOMWindow(state.vm(), toJS(&state, *window)); >+ if (!documentGlobalObject) >+ return nullptr; >+ > // Creating a wrapper for domWindow might have created a wrapper for document as well. >- return getCachedWrapper(toJSDOMWindow(state.vm(), toJS(&state, *window))->world(), document); >+ return getCachedWrapper(documentGlobalObject->world(), document); > } > > void reportMemoryForDocumentIfFrameless(ExecState& state, Document& document)
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=356638">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Formatted Diff
|
Diff
Attachments on
bug 192421
: 356638