[Webkit-unassigned] [Bug 119074] Crash when sharing JS context

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Aug 7 13:12:16 PDT 2019


https://bugs.webkit.org/show_bug.cgi?id=119074

Oliver Hunt <oliver at nerget.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |oliver at nerget.com

--- Comment #1 from Oliver Hunt <oliver at nerget.com> ---
In the interests of sanity could you try:

>     JSContextGroupRef group = JSContextGetGroup (webkit_ctx);

Is group null? 

In the interests of sanity possibly retain until end of the function?

....
>     for (i = 0; i < nprop; ++i) {
>         JSStringRef prop = JSPropertyNameArrayGetNameAtIndex (props, i);
>         gchar *prop_str = uzbl_js_extract_string (prop);
> 
>         JSValueRef value = uzbl_js_get (webkit_ctx, webkit_object, prop_str);
> 

Make sure value is not null here. JSC isn't the most nullptr friendly API in places

....
>     JSObjectSetPrototype (uzbl.state.sharedjscontext,
>         shared_object, webkit_object);

This is concerning in general security - I'm not sure how SOP will behave here, it should correctly identify differing origin but I'm legit not sure.

> }

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20190807/87ec760f/attachment.html>


More information about the webkit-unassigned mailing list