Cherry-pick 274097.9@webkit-2024.2-embargoed (f81d56c47751). https://…

…bugs.webkit.org/show_bug.cgi?id=268769 HTMLPlugInImageElement: verify that element is in same document before requesting a load https://bugs.webkit.org/show_bug.cgi?id=268769 Reviewed by Ryosuke Niwa. The testcase shows a scenario where a plugin is set up to start loading the plugin contents from an event loop, however before the event loop is started the rest of the script will run, which moves the plugin to a different document, thus hitting an ASSERT in WebFrame::createSubframe when the load is performed. Protect against this by returning early when this situation is detected in the event loop. * LayoutTests/security/schedule-request-object-then-move-plugin-to-frameless-document-crash-expected.txt: Added. * LayoutTests/security/schedule-request-object-then-move-plugin-to-frameless-document-crash.html: Added. * Source/WebCore/html/HTMLPlugInImageElement.cpp: (WebCore::HTMLPlugInImageElement::requestObject): Canonical link: https://commits.webkit.org/274097.9@webkit-2024.2-embargoed Canonical link: https://commits.webkit.org/272448.695@safari-7618-branch Canonical link: https://commits.webkit.org/274313.227@webkitglib/2.44
WebKit · May 13, 2024 · 94adce3 · 94adce3
1 parent 15af2b3
commit 94adce3
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 2 deletions.
diff --git a/...ecurity/schedule-request-object-then-move-plugin-to-frameless-document-crash-expected.txt b/...ecurity/schedule-request-object-then-move-plugin-to-frameless-document-crash-expected.txt
@@ -0,0 +1 @@
+PASS if no crash.
diff --git a/...tTests/security/schedule-request-object-then-move-plugin-to-frameless-document-crash.html b/...tTests/security/schedule-request-object-then-move-plugin-to-frameless-document-crash.html
@@ -0,0 +1,15 @@
+<!DOCTYPE html>
+<embed id="embed"></embed>
+<iframe id="iframe"></iframe>
+<object id="object"></object>
+<script>
+if (window.testRunner)
+    testRunner.dumpAsText();
+  doc = new DOMParser().parseFromString("foo", "text/html");
+  object.data = "x";
+  var embed = document.getElementById("embed");
+  iframe.contentDocument.adoptNode(embed);
+  embed.bar;
+  doc.body.appendChild(object);
+  document.body.replaceWith("PASS if no crash.");
+</script>
diff --git a/Source/WebCore/html/HTMLPlugInImageElement.cpp b/Source/WebCore/html/HTMLPlugInImageElement.cpp
@@ -329,8 +329,8 @@ bool HTMLPlugInImageElement::requestObject(const String& relativeURL, const Stri
     if (ScriptDisallowedScope::InMainThread::isScriptAllowed())
         return document->frame()->loader().subframeLoader().requestObject(*this, relativeURL, getNameAttribute(), mimeType, paramNames, paramValues);
 
-    document->eventLoop().queueTask(TaskSource::Networking, [this, protectedThis = Ref { *this }, relativeURL, nameAttribute = getNameAttribute(), mimeType, paramNames, paramValues]() mutable {
-        if (!isConnected())
+    document->eventLoop().queueTask(TaskSource::Networking, [this, protectedThis = Ref { *this }, relativeURL, nameAttribute = getNameAttribute(), mimeType, paramNames, paramValues, document]() mutable {
+        if (!this->isConnected() || &this->document() != document.ptr())
             return;
         RefPtr frame = this->document().frame();
         if (!frame)