[Webkit-unassigned] [Bug 31886] New: Notification::Notification m_presenter reuse of freed memory
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Nov 25 12:51:03 PST 2009
https://bugs.webkit.org/show_bug.cgi?id=31886
Summary: Notification::Notification m_presenter reuse of freed
memory
Product: WebKit
Version: 528+ (Nightly build)
Platform: PC
OS/Version: Windows Vista
Status: NEW
Severity: Blocker
Priority: P1
Component: HTML DOM
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: skylined at chromium.org
CC: johnnyg at google.com
When creating a notificationCenter from the window, then closing the window
before using the notificationCenter to create a notification, a pointer is used
that now points to freed memory.
Repro:
<SCRIPT>
win=window.open('');
notificationCenter=win.webkitNotifications;
win.close();
setTimeout(function () {
try { n=notificationCenter.createNotification(''); } catch (e) {};
location.reload();
}, 100);
</SCRIPT>
This will trigger a pure virtual function call in
WebCore::Notification::Notification:
Notification::Notification(const NotificationContents& contents,
ScriptExecutionContext* context, ExceptionCode& ec, NotificationPresenter*
provider)
: ActiveDOMObject(context, this)
, m_isHTML(false)
, m_contents(contents)
, m_isShowing(false)
, m_presenter(provider)
{
// v---crash here because m_presenter is invalid.
if (m_presenter->checkPermission(context->securityOrigin()) !=
NotificationPresenter::PermissionAllowed) {
ec = SECURITY_ERR;
return;
}
KURL icon = context->completeURL(contents.icon());
if (!icon.isEmpty() && !icon.isValid()) {
ec = SYNTAX_ERR;
return;
}
}
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list