[Webkit-unassigned] [Bug 33984] New: Null pointer dereference when FrameLoader::loadPlugin fails to set widget
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Jan 21 19:14:55 PST 2010
https://bugs.webkit.org/show_bug.cgi?id=33984
Summary: Null pointer dereference when FrameLoader::loadPlugin
fails to set widget
Product: WebKit
Version: 528+ (Nightly build)
Platform: PC
OS/Version: Mac OS X 10.5
Status: NEW
Severity: Normal
Priority: P2
Component: Plug-ins
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: evan at chromium.org
FrameLoader::loadPlugin looks like this, in part:
widget = m_client->createPlugin(IntSize(renderer->contentWidth(),
renderer->contentHeight()),
element, url, paramNames, paramValues,
mimeType,
m_frame->document()->isPluginDocument()
&& !m_containsPlugIns);
if (widget) {
renderer->setWidget(widget);
m_containsPlugIns = true;
}
createPlugin can fail and return a NULL widget, when the plugin fails to
initialize.
So now we still have a renderer, but it has no widget.
Later, in PluginTokenizer::writeRawData:
m_doc->updateLayout();
if (RenderWidget* renderer =
toRenderWidget(m_embedElement->renderer())) {
frame->loader()->client()->redirectDataToPlugin(renderer->widget()); // ***
frame->loader()->activeDocumentLoader()->mainResourceLoader()->setShouldBufferData(false);
}
finish();
This attempts to redirect data to the (null) plugin widget, and crashes.
Putting a null check just above the *** doesn't solve the problem, as we then
hit a later ASSERT() in FrameLoader::addData() where we check
document()->parsing(). That fails because we've already closed the document
(in finish()).
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list