Bug 64656

Summary: SubresourceLoader::didReceiveDataArray can crash when calling m_client->didReceiveData()
Product: WebKit Reporter: Pratik Solanki <psolanki>
Component: PlatformAssignee: Pratik Solanki <psolanki>
Status: RESOLVED FIXED    
Severity: Normal CC: psolanki
Priority: P2 Keywords: InRadar
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch ap: review+, ap: commit-queue-

Pratik Solanki
Reported 2011-07-16 15:00:33 PDT
SubresourceLoader::didReceiveDataArray() calls m_client->didReceiveData() in a loop. This can crash if m_client is deleted in an iteration. This is similar to bug 60594.
Attachments
Patch (1.61 KB, patch)
2011-07-16 15:14 PDT, Pratik Solanki 		ap: review+
ap: commit-queue-
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Pratik Solanki
Comment 1 2011-07-16 15:01:14 PDT
<rdar://problem/9754425>
Pratik Solanki
Comment 2 2011-07-16 15:14:40 PDT
Created attachment 101101 [details] Patch
Alexey Proskuryakov
Comment 3 2011-07-16 15:23:35 PDT
Comment on attachment 101101 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=101101&action=review > Source/WebCore/loader/cf/SubresourceLoaderCF.cpp:47 > + if (!m_client) > + break; Please remove a check for m_client that you have above (if (!m_loadingMultipartContent && m_client)).
Pratik Solanki
Comment 4 2011-07-16 16:29:54 PDT
Committed r91157: <http://trac.webkit.org/changeset/91157>
Note You need to log in before you can comment on or make changes to this bug.