Use-after-free in processResponse in ServiceWorkerFetch.cpp

rdar://118039950 Reviewed by Chris Dumez. Cancelling the stream can trigger GC when creating the DOMException JS wrapper. This might collect the FetchResponse object. To make sure the FetchResponse object stays live for the whole time, we protect it in the callback. * Source/WebCore/workers/service/context/ServiceWorkerFetch.cpp: (WebCore::ServiceWorkerFetch::processResponse): Canonical link: https://commits.webkit.org/267815.569@safari-7617-branch
WebKit · Nov 15, 2023 · 5ebdf97 · 5ebdf97
1 parent f4f2cd5
commit 5ebdf97
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/Source/WebCore/workers/service/context/ServiceWorkerFetch.cpp b/Source/WebCore/workers/service/context/ServiceWorkerFetch.cpp
@@ -131,8 +131,8 @@ static void processResponse(Ref<Client>&& client, Expected<Ref<FetchResponse>, s
 
     if (response->isBodyReceivedByChunk()) {
         client->setCancelledCallback([response = WeakPtr { response.get() }] {
-            if (response)
-                response->cancelStream();
+            if (RefPtr protectedResponse = response.get())
+                protectedResponse->cancelStream();
         });
         response->consumeBodyReceivedByChunk([client = WTFMove(client), response = WeakPtr { response.get() }] (auto&& result) mutable {
             if (result.hasException()) {