[Webkit-unassigned] [Bug 149864] New: Possible null pointer dereference in WebSocket::connect
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Oct 6 17:41:48 PDT 2015
https://bugs.webkit.org/show_bug.cgi?id=149864
Bug ID: 149864
Summary: Possible null pointer dereference in
WebSocket::connect
Classification: Unclassified
Product: WebKit
Version: Other
Hardware: All
OS: All
Status: NEW
Severity: Normal
Priority: P2
Component: WebCore Misc.
Assignee: webkit-unassigned at lists.webkit.org
Reporter: mcatanzaro at igalia.com
I noticed this issue due to the fix for bug #149311.
Later down in WebSocket::connect() there is a call to document.frame()->loader().mixedContentChecker(). I don't see why that doesn't crash now, since it occurs if (is<Document>(*scriptExecutionContext()), the same condition as the null dereference of frame up above, which was problematic in bug #149311. That was "safe" when I added it because document.frame() was assumed to be nonnull up above, but clearly that was wrong and is now no longer the case.
I guess if it's not crashing (is it returning early on an error path?), then it might not be a problem, but it looks dangerous in light of this change... do we need to add a check to make sure frame is not null there? If so, do we need to rethink how to gain access to the mixed content checker, or is the content in a detached frame not going to be loaded? We need to be careful not to accidentally allow loading insecure content here.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20151007/f14e61d2/attachment.html>
More information about the webkit-unassigned
mailing list