Merge r186666 - Plugin create can end up destroying its renderer.

https://bugs.webkit.org/show_bug.cgi?id=146824 rdar://problem/18921429 Reviewed by Andreas Kling. Plugins can run arbitrary code during initialization. If the plugin happens to destroy the associated node, its renderer becomes invalid. This patch checks whether the renderer survived the createPlugin() call. (This WeakPtr pattern is also used in RenderWidget to avoid dangling pointers.) Speculative fix. Not reproducible. * loader/SubframeLoader.cpp: (WebCore::SubframeLoader::loadPlugin):
WebKit · Aug 4, 2015 · 4bc8b58 · 4bc8b58
1 parent 689d979
commit 4bc8b58
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 2 deletions.
diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog
@@ -1,3 +1,21 @@
+2015-07-09  Zalan Bujtas  <zalan@apple.com>
+
+        Plugin create can end up destroying its renderer.
+        https://bugs.webkit.org/show_bug.cgi?id=146824
+        rdar://problem/18921429
+
+        Reviewed by Andreas Kling.
+
+        Plugins can run arbitrary code during initialization. If the plugin
+        happens to destroy the associated node, its renderer becomes invalid.
+        This patch checks whether the renderer survived the createPlugin() call.
+        (This WeakPtr pattern is also used in RenderWidget to avoid dangling pointers.)
+
+        Speculative fix. Not reproducible.
+
+        * loader/SubframeLoader.cpp:
+        (WebCore::SubframeLoader::loadPlugin):
+
 2015-07-09  Daniel Bates  <dabates@apple.com>
 
         Fetching Content Security Policy report URL should respect same origin policy

diff --git a/Source/WebCore/loader/SubframeLoader.cpp b/Source/WebCore/loader/SubframeLoader.cpp
@@ -386,10 +386,12 @@ Document* SubframeLoader::document() const
 
 bool SubframeLoader::loadPlugin(HTMLPlugInImageElement& pluginElement, const URL& url, const String& mimeType, const Vector<String>& paramNames, const Vector<String>& paramValues, bool useFallback)
 {
-    RenderEmbeddedObject* renderer = pluginElement.renderEmbeddedObject();
+    if (useFallback)
+        return false;
 
+    RenderEmbeddedObject* renderer = pluginElement.renderEmbeddedObject();
     // FIXME: This code should not depend on renderer!
-    if (!renderer || useFallback)
+    if (!renderer)
         return false;
 
     pluginElement.subframeLoaderWillCreatePlugIn(url);
@@ -403,7 +405,11 @@ bool SubframeLoader::loadPlugin(HTMLPlugInImageElement& pluginElement, const URL
         loadManually = false;
 #endif
 
+    WeakPtr<RenderWidget> weakRenderer = renderer->createWeakPtr();
+    // createPlugin *may* cause this renderer to disappear from underneath.
     RefPtr<Widget> widget = m_frame.loader().client().createPlugin(contentSize, &pluginElement, url, paramNames, paramValues, mimeType, loadManually);
+    if (!weakRenderer)
+        return false;
 
     if (!widget) {
         if (!renderer->isPluginUnavailable())