Bug 64656

Summary:

SubresourceLoader::didReceiveDataArray can crash when calling m_client->didReceiveData()

Product:

WebKit

Reporter:

Pratik Solanki <psolanki>

Component:

Platform

Assignee:

Pratik Solanki <psolanki>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

psolanki

Priority:

Keywords:

InRadar

Version:

528+ (Nightly build)

Hardware:

Unspecified

OS:

Unspecified

Attachments:

Description	Flags
Patch	ap: review+, ap: commit-queue-

Description Pratik Solanki 2011-07-16 15:00:33 PDT

SubresourceLoader::didReceiveDataArray() calls m_client->didReceiveData() in a  loop. This can crash if m_client is deleted in an iteration. This is similar to bug 60594.

Comment 1 Pratik Solanki 2011-07-16 15:01:14 PDT

<rdar://problem/9754425>

Comment 2 Pratik Solanki 2011-07-16 15:14:40 PDT

Created attachment 101101 [details]
Patch

Comment 3 Alexey Proskuryakov 2011-07-16 15:23:35 PDT

Comment on attachment 101101 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=101101&action=review

> Source/WebCore/loader/cf/SubresourceLoaderCF.cpp:47
> +            if (!m_client)
> +                break;

Please remove a check for m_client that you have above (if (!m_loadingMultipartContent && m_client)).

Comment 4 Pratik Solanki 2011-07-16 16:29:54 PDT

Committed r91157: <http://trac.webkit.org/changeset/91157>