WebKit Bugzilla
Attachment 360330 Details for
Bug 193901
: WebUserContentController::removeUserScriptMessageHandlerInternal may deref and delete itself
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
patch
removeUserScriptMessageHandlerInternal-crash.patch (text/plain), 1.64 KB, created by
Antti Koivisto
on 2019-01-28 04:29:00 PST
(
hide
)
Description:
patch
Filename:
MIME Type:
Creator:
Antti Koivisto
Created:
2019-01-28 04:29:00 PST
Size:
1.64 KB
patch
obsolete
>Index: Source/WebKit/ChangeLog >=================================================================== >--- Source/WebKit/ChangeLog (revision 240577) >+++ Source/WebKit/ChangeLog (working copy) >@@ -1,3 +1,17 @@ >+2019-01-28 Antti Koivisto <antti@apple.com> >+ >+ WebUserContentController::removeUserScriptMessageHandlerInternal may deref and delete itself >+ https://bugs.webkit.org/show_bug.cgi?id=193901 >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ * WebProcess/UserContent/WebUserContentController.cpp: >+ (WebKit::WebUserContentController::removeUserScriptMessageHandlerInternal): >+ >+ Calling userMessageHandlers.removeFirstMatching() may remove the last ref to this >+ (because WebUserMessageHandlerDescriptorProxy refs WebUserContentController). >+ Fix by protecting this over the function. >+ > 2018-12-15 Darin Adler <darin@apple.com> > > Replace many uses of String::format with more type-safe alternatives >Index: Source/WebKit/WebProcess/UserContent/WebUserContentController.cpp >=================================================================== >--- Source/WebKit/WebProcess/UserContent/WebUserContentController.cpp (revision 240407) >+++ Source/WebKit/WebProcess/UserContent/WebUserContentController.cpp (working copy) >@@ -330,6 +330,8 @@ void WebUserContentController::removeUse > if (it == m_userMessageHandlers.end()) > return; > >+ auto protectedThis = makeRef(*this); >+ > auto& userMessageHandlers = it->value; > bool userMessageHandlersChanged = userMessageHandlers.removeFirstMatching([userScriptMessageHandlerIdentifier](auto& pair) { > return pair.first == userScriptMessageHandlerIdentifier;
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=360330">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Formatted Diff
|
Diff
Attachments on
bug 193901
:
360330
|
360331