HTMLPlugInImageElement: verify that element is in same document befor…

…e requesting a load https://bugs.webkit.org/show_bug.cgi?id=268769 rdar://121960561 Reviewed by Ryosuke Niwa. The testcase shows a scenario where a plugin is set up to start loading the plugin contents from an event loop, however before the event loop is started the rest of the script will run, which moves the plugin to a different document, thus hitting an ASSERT in WebFrame::createSubframe when the load is performed. Protect against this by returning early when this situation is detected in the event loop. * LayoutTests/security/schedule-request-object-then-move-plugin-to-frameless-document-crash-expected.txt: Added. * LayoutTests/security/schedule-request-object-then-move-plugin-to-frameless-document-crash.html: Added. * Source/WebCore/html/HTMLPlugInImageElement.cpp: (WebCore::HTMLPlugInImageElement::requestObject): Originally-landed-as: 274097.9@webkit-2024.2-embargoed (f81d56c47751). rdar://128089895 Canonical link: https://commits.webkit.org/278884@main
WebKit · May 16, 2024 · 3f5fc52 · 3f5fc52
1 parent 72485b3
commit 3f5fc52
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 2 deletions.
diff --git a/...ecurity/schedule-request-object-then-move-plugin-to-frameless-document-crash-expected.txt b/...ecurity/schedule-request-object-then-move-plugin-to-frameless-document-crash-expected.txt
@@ -0,0 +1 @@
+PASS if no crash.
diff --git a/...tTests/security/schedule-request-object-then-move-plugin-to-frameless-document-crash.html b/...tTests/security/schedule-request-object-then-move-plugin-to-frameless-document-crash.html
@@ -0,0 +1,15 @@
+<!DOCTYPE html>
+<embed id="embed"></embed>
+<iframe id="iframe"></iframe>
+<object id="object"></object>
+<script>
+if (window.testRunner)
+    testRunner.dumpAsText();
+  doc = new DOMParser().parseFromString("foo", "text/html");
+  object.data = "x";
+  var embed = document.getElementById("embed");
+  iframe.contentDocument.adoptNode(embed);
+  embed.bar;
+  doc.body.appendChild(object);
+  document.body.replaceWith("PASS if no crash.");
+</script>
diff --git a/Source/WebCore/html/HTMLPlugInImageElement.cpp b/Source/WebCore/html/HTMLPlugInImageElement.cpp
@@ -324,8 +324,8 @@ bool HTMLPlugInImageElement::requestObject(const String& relativeURL, const Stri
     if (ScriptDisallowedScope::InMainThread::isScriptAllowed())
         return document->frame()->loader().subframeLoader().requestObject(*this, relativeURL, getNameAttribute(), mimeType, paramNames, paramValues);
 
-    document->eventLoop().queueTask(TaskSource::Networking, [this, protectedThis = Ref { *this }, relativeURL, nameAttribute = getNameAttribute(), mimeType, paramNames, paramValues]() mutable {
-        if (!isConnected())
+    document->eventLoop().queueTask(TaskSource::Networking, [this, protectedThis = Ref { *this }, relativeURL, nameAttribute = getNameAttribute(), mimeType, paramNames, paramValues, document]() mutable {
+        if (!this->isConnected() || &this->document() != document.ptr())
             return;
         RefPtr frame = this->document().frame();
         if (!frame)