Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Cherry-pick 252432.1018@safari-7614-branch (792c09f). https://bugs.we…
…bkit.org/show_bug.cgi?id=249996 Use-after-free in FetchBodyConsumer::resolve https://bugs.webkit.org/show_bug.cgi?id=249996 rdar://103649054 Reviewed by Jonathan Bedard and Alex Christensen. Make sure in FetchBodyConsumer that refed promise/source remain protected. We also revert part of an unnecessary and wrong change from https://trac.webkit.org/changeset/227760. This makes sure ReadableStreamToSharedBufferSink callback remains valid until completely executed in close case, as was the case in error case. We use std::exchange instead of move as it is more semantically correct. Covered by added test. * LayoutTests/streams/blob-and-then-expected.txt: Added. * LayoutTests/streams/blob-and-then.html: Added. * Source/WebCore/Modules/fetch/FetchBodyConsumer.cpp: (WebCore::FetchBodyConsumer::resolveWithFormData): (WebCore::FetchBodyConsumer::consumeFormDataAsStream): (WebCore::FetchBodyConsumer::resolve): * Source/WebCore/Modules/streams/ReadableStreamSink.cpp: (WebCore::ReadableStreamToSharedBufferSink::close): (WebCore::ReadableStreamToSharedBufferSink::error): Canonical link: https://commits.webkit.org/252432.1018@safari-7614-branch
- Loading branch information
Showing
4 changed files
with
61 additions
and
13 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
|
||
PASS Ensure redefining then does not alter blob promise | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,33 @@ | ||
<!doctype html> | ||
<html> | ||
<head> | ||
<meta charset="utf-8"> | ||
<script src="../resources/testharness.js"></script> | ||
<script src="../resources/testharnessreport.js"></script> | ||
</head> | ||
<body> | ||
<script> | ||
|
||
promise_test(async () => { | ||
function createReadStream() { | ||
const response = new Response(new Blob(['aaaaa'])); | ||
return response.body; | ||
} | ||
|
||
const f = document.body.appendChild(document.createElement('iframe')); | ||
const response = new f.contentWindow.Response(createReadStream()); | ||
|
||
f.contentWindow.Object.prototype.__defineGetter__('then', () => { | ||
delete f.contentWindow.Object.prototype.then; | ||
|
||
f.remove(); | ||
}); | ||
|
||
response.blob(); | ||
|
||
await new Promise(resolve => setTimeout(resolve, 50)); | ||
}, "Ensure redefining then does not alter blob promise"); | ||
|
||
</script> | ||
</body> | ||
</html> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters