Run the following in inspector to crash WebKit qnx.callExtensionMethod.apply(window, []); In the c++ that handles the function it assumes that when callExtensionMethod is called that 'this' is the object 'qnx'. The qnx object has a hidden variable that the code casts and uses, but when 'this' is not qnx such as the example this will cause a crash. Any website can insert the above JavaScript to cause the crash.
Created attachment 152601 [details] patch
Are we sure it is null? If so it shouldn't be security issue. But the change log makes me think it could be a non-zero pointer. Then the patch won't fix it. We could compare the vptr.
It is null, I have a test page for this and confirmed it works.
Edit: to be more clear in JSObjectRef.cpp JSObjectGetPrivate() will return 0 when the object is not a JSCallbackObject so a simple check is good enough to stop the crash.
changing back from security
Comment on attachment 152601 [details] patch Clearing flags on attachment: 152601 Committed r122757: <http://trac.webkit.org/changeset/122757>
All reviewed patches have been landed. Closing bug.