[Webkit-unassigned] [Bug 249060] New: Fix use-after-move in WebCore::SWClientConnection::postMessageToServiceWorkerClient()

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Dec 9 18:22:15 PST 2022 

https://bugs.webkit.org/show_bug.cgi?id=249060

            Bug ID: 249060
           Summary: Fix use-after-move in
                    WebCore::SWClientConnection::postMessageToServiceWorke
                    rClient()
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Service Workers
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: ddkilzer at webkit.org
                CC: youennf at gmail.com

Fix use-after-move in WebCore::SWClientConnection::postMessageToServiceWorkerClient() from Source/WebCore/workers/service/SWClientConnection.cpp.

The `message` variable is involved in a use-after-move when `wasDispatched` returns `false` in the method below.

```
void SWClientConnection::postMessageToServiceWorkerClient(ScriptExecutionContextIdentifier destinationContextIdentifier, MessageWithMessagePorts&& message, ServiceWorkerData&& sourceData, String&& sourceOrigin)
{
    ASSERT(isMainThread());

    if (auto* destinationDocument = Document::allDocumentsMap().get(destinationContextIdentifier)) {
        postMessageToContainer(*destinationDocument, WTFMove(message), WTFMove(sourceData), WTFMove(sourceOrigin));
        return;
    }

    bool wasDispatched = ScriptExecutionContext::postTaskTo(destinationContextIdentifier, [message = WTFMove(message), sourceData = WTFMove(sourceData).isolatedCopy(), sourceOrigin = WTFMove(sourceOrigin).isolatedCopy()](auto& context) mutable {
        postMessageToContainer(context, WTFMove(message), WTFMove(sourceData), WTFMove(sourceOrigin));
    });
    if (wasDispatched)
        return;

    if (auto* sharedWorker = SharedWorkerThreadProxy::byIdentifier(destinationContextIdentifier)) {
        sharedWorker->thread().runLoop().postTask([message = WTFMove(message), sourceData = WTFMove(sourceData).isolatedCopy(), sourceOrigin = WTFMove(sourceOrigin).isolatedCopy()] (auto& context) mutable {
            postMessageToContainer(context, WTFMove(message), WTFMove(sourceData), WTFMove(sourceOrigin));
        });
    }
}
```

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20221210/438765d0/attachment.htm>

More information about the webkit-unassigned mailing list