Bug 230121

Summary:

Potential crash under CachedRawResource::didAddClient()

Product:

WebKit

Reporter:

Chris Dumez <cdumez>

Component:

WebCore Misc.

Assignee:

Chris Dumez <cdumez>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

achristensen, ews-watchlist, japhet, jean-yves.avenard, webkit-bug-importer

Priority:

Keywords:

InRadar

Version:

WebKit Nightly Build

Hardware:

Unspecified

OS:

Unspecified

See Also:

https://bugs.webkit.org/show_bug.cgi?id=228108
https://bugs.webkit.org/show_bug.cgi?id=232424

Attachments:

Description	Flags
Patch	none

Chris Dumez

Reported 2021-09-09 13:26:04 PDT

Potential crash under CachedRawResource::didAddClient(): 50 WebCore: WebCore::SharedBuffer::forEachSegment(WTF::Function<void (WTF::Span<unsigned char const, 18446744073709551615ul> const&)> const&) const <== 50 WebCore: WebCore::CachedRawResource::didAddClient(WebCore::CachedResourceClient&)::$_0::operator()(WebCore::ResourceRequest&&)::'lambda'()::operator()() const 50 WebCore: WTF::Detail::CallableWrapper<WebCore::DocumentLoader::responseReceived(WebCore::ResourceResponse const&, WTF::CompletionHandler<void ()>&&)::$_4, void, WebCore::PolicyAction, WebCore::PolicyCheckIdentifier>::call(WebCore::PolicyAction, WebCore::PolicyCheckIdentifier) 50 WebKit: WebKit::WebFrameLoaderClient::dispatchDecidePolicyForResponse(WebCore::ResourceResponse const&, WebCore::ResourceRequest const&, WebCore::PolicyCheckIdentifier, WTF::String const&, WTF::Function<void (WebCore::PolicyAction, WebCore::PolicyCheckIdentifier)>&&)

Attachments
Patch (2.85 KB, patch) 2021-09-09 13:32 PDT, Chris Dumez	no flags	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Chris Dumez

Comment 1 2021-09-09 13:26:19 PDT

<rdar://82936913>

Chris Dumez

Comment 2 2021-09-09 13:32:07 PDT

Created attachment 437776 [details] Patch

EWS

Comment 3 2021-09-09 15:24:49 PDT

Committed r282241 (241524@main): <https://commits.webkit.org/241524@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 437776 [details].

Jean-Yves Avenard [:jya]

Comment 4 2021-12-22 16:05:45 PST

We can probably revert this following bug 233442. The inner Vector can't be modified while a SharedBuffer is in use anymore.

Note You need to log in before you can comment on or make changes to this bug.