[webkit-changes] [WebKit/WebKit] 8420f2: Cherry-pick 261547 at main (d55e642abe03). https://bu...
Chris Dumez
noreply at github.com
Thu Mar 16 01:39:46 PDT 2023
Branch: refs/heads/webkitglib/2.38
Home: https://github.com/WebKit/WebKit
Commit: 8420f2e2d649c3c2a16e11a9fec79dfd0f36d6a2
https://github.com/WebKit/WebKit/commit/8420f2e2d649c3c2a16e11a9fec79dfd0f36d6a2
Author: Chris Dumez <cdumez at apple.com>
Date: 2023-03-16 (Thu, 16 Mar 2023)
Changed paths:
M Source/WebKit/UIProcess/WebPageProxy.cpp
Log Message:
-----------
Cherry-pick 261547 at main (d55e642abe03). https://bugs.webkit.org/show_bug.cgi?id=253767
Crash under ProvisionalPageProxy::initializeWebPage()
https://bugs.webkit.org/show_bug.cgi?id=253767
rdar://106597341
Reviewed by David Kilzer.
receivedNavigationPolicyDecision() calls continueNavigationInNewProcess(), which
creates a new ProvisionalPageProxy. The ProvisionalPageProxy constructor calls
ProvisionalPageProxy::initializeWebPage() which accessing m_page.pageClient()
and crashes with a null dereference.
receivedNavigationPolicyDecision() early returns if Page::isClosed() is true,
which should indicate that the pageClient couldn't have been null initially.
This means the pageClient must have been nulled out in between the isClosed()
check and the ProvisionalPageProxy::initializeWebPage() call. To protect
against this, I am adding a PageClientProtector to this code path, right after
the isClosed() check.
* Source/WebKit/UIProcess/WebPageProxy.cpp:
(WebKit::WebPageProxy::receivedNavigationPolicyDecision):
Canonical link: https://commits.webkit.org/261547@main
More information about the webkit-changes
mailing list