Changeset 234735 in webkit for trunk/Source/WebKit/UIProcess/WebURLSchemeTask.cpp

Timestamp:

Aug 9, 2018, 2:43:48 PM (7 years ago)

Author:

[email protected]

Message:

WKURLSchemeHandler crashes when sent errors with sync XHR
​https://bugs.webkit.org/show_bug.cgi?id=188358

Patch by Alex Christensen <​[email protected]> on 2018-08-09
Reviewed by Chris Dumez.

Source/WebKit:

• UIProcess/WebURLSchemeTask.cpp:

(WebKit::WebURLSchemeTask::didReceiveData):
(WebKit::WebURLSchemeTask::didComplete):

• UIProcess/WebURLSchemeTask.h:

Tools:

• TestWebKitAPI/Tests/WebKitCocoa/WKURLSchemeHandler-1.mm:

(-[SyncErrorScheme webView:startURLSchemeTask:]):
(-[SyncErrorScheme webView:stopURLSchemeTask:]):
(-[SyncErrorScheme webView:runJavaScriptAlertPanelWithMessage:initiatedByFrame:completionHandler:]):

File:

• trunk/Source/WebKit/UIProcess/WebURLSchemeTask.cpp (modified) (3 diffs)

trunk/Source/WebKit/UIProcess/WebURLSchemeTask.cpp

@@ -97 +97 @@
 }
 
-auto WebURLSchemeTask::didReceiveData(Ref<SharedBuffer> buffer) -> ExceptionType
+auto WebURLSchemeTask::didReceiveData(Ref<SharedBuffer>&& buffer) -> ExceptionType
 {
     if (m_stopped)
@@ -111 +111 @@
 
     if (isSync()) {
-        if (!m_syncData)
-            m_syncData = SharedBuffer::create();
-        m_syncData->append(buffer);
+        if (m_syncData)
+            m_syncData->append(buffer);
+        else
+            m_syncData = WTFMove(buffer);
     }
 
@@ -134 +135 @@
     
     if (isSync()) {
-        m_syncCompletionHandler(m_syncResponse, error, IPC::DataReference { (const uint8_t*)m_syncData->data(), m_syncData->size() });
+        IPC::DataReference data;
+        if (m_syncData)
+            data = { reinterpret_cast<const uint8_t*>(m_syncData->data()), m_syncData->size() };
+        m_syncCompletionHandler(m_syncResponse, error, data);
         m_syncData = nullptr;
     }