[Webkit-unassigned] [Bug 209987] New: Use-after-move of `formState` in WebCore::PolicyChecker::checkNavigationPolicy()

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Apr 3 14:23:09 PDT 2020 

https://bugs.webkit.org/show_bug.cgi?id=209987

            Bug ID: 209987
           Summary: Use-after-move of `formState` in
                    WebCore::PolicyChecker::checkNavigationPolicy()
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Forms
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: ddkilzer at webkit.org
                CC: beidson at apple.com, cdumez at apple.com, rniwa at webkit.org,
                    wenson_hsieh at apple.com

Use-after-move of `formState` in WebCore::PolicyChecker::checkNavigationPolicy().

The last if/else statement uses formState.get(), but that's been moved into the `decisionHandler` lambda.

void PolicyChecker::checkNavigationPolicy(ResourceRequest&& request, const ResourceResponse& redirectResponse, DocumentLoader* loader, RefPtr<FormState>&& formState, NavigationPolicyDecisionFunction&& function, PolicyDecisionMode policyDecisionMode)
{
    [...]
    FramePolicyFunction decisionHandler = [this, function = WTFMove(function), request = ResourceRequest(request), formState = WTFMove(formState), suggestedFilename = WTFMove(suggestedFilename),
         blobURLLifetimeExtension = WTFMove(blobURLLifetimeExtension), requestIdentifier, isInitialEmptyDocumentLoad] (PolicyAction policyAction, PolicyCheckIdentifier responseIdentifier) mutable {
        [...]
    };

    if (isInitialEmptyDocumentLoad) {
        // We ignore the response from the client for initial empty document loads and proceed with the load synchronously.
        m_frame.loader().client().dispatchDecidePolicyForNavigationAction(action, request, redirectResponse, formState.get(), policyDecisionMode, requestIdentifier, [](PolicyAction, PolicyCheckIdentifier) { });
        decisionHandler(PolicyAction::Use, requestIdentifier);
    } else
        m_frame.loader().client().dispatchDecidePolicyForNavigationAction(action, request, redirectResponse, formState.get(), policyDecisionMode, requestIdentifier, WTFMove(decisionHandler));
}

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20200403/1ba76ab2/attachment-0001.htm>

More information about the webkit-unassigned mailing list