[Webkit-unassigned] [Bug 119074] Crash when sharing JS context
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Aug 7 13:12:16 PDT 2019
https://bugs.webkit.org/show_bug.cgi?id=119074
Oliver Hunt <oliver at nerget.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |oliver at nerget.com
--- Comment #1 from Oliver Hunt <oliver at nerget.com> ---
In the interests of sanity could you try:
> JSContextGroupRef group = JSContextGetGroup (webkit_ctx);
Is group null?
In the interests of sanity possibly retain until end of the function?
....
> for (i = 0; i < nprop; ++i) {
> JSStringRef prop = JSPropertyNameArrayGetNameAtIndex (props, i);
> gchar *prop_str = uzbl_js_extract_string (prop);
>
> JSValueRef value = uzbl_js_get (webkit_ctx, webkit_object, prop_str);
>
Make sure value is not null here. JSC isn't the most nullptr friendly API in places
....
> JSObjectSetPrototype (uzbl.state.sharedjscontext,
> shared_object, webkit_object);
This is concerning in general security - I'm not sure how SOP will behave here, it should correctly identify differing origin but I'm legit not sure.
> }
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20190807/87ec760f/attachment.html>
More information about the webkit-unassigned
mailing list