[Webkit-unassigned] [Bug 149864] New: Possible null pointer dereference in WebSocket::connect

Tue Oct 6 17:41:48 PDT 2015

https://bugs.webkit.org/show_bug.cgi?id=149864

            Bug ID: 149864
           Summary: Possible null pointer dereference in
                    WebSocket::connect
    Classification: Unclassified
           Product: WebKit
           Version: Other
          Hardware: All
                OS: All
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebCore Misc.
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: mcatanzaro at igalia.com

I noticed this issue due to the fix for bug #149311.

Later down in WebSocket::connect() there is a call to document.frame()->loader().mixedContentChecker(). I don't see why that doesn't crash now, since it occurs if (is<Document>(*scriptExecutionContext()), the same condition as the null dereference of frame up above, which was problematic in bug #149311. That was "safe" when I added it because document.frame() was assumed to be nonnull up above, but clearly that was wrong and is now no longer the case.

I guess if it's not crashing (is it returning early on an error path?), then it might not be a problem, but it looks dangerous in light of this change... do we need to add a check to make sure frame is not null there? If so, do we need to rethink how to gain access to the mixed content checker, or is the content in a detached frame not going to be loaded? We need to be careful not to accidentally allow loading insecure content here.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20151007/f14e61d2/attachment.html>