Skip to content

Commit

Permalink
Use-after-free in processResponse in ServiceWorkerFetch.cpp
Browse files Browse the repository at this point in the history 
rdar://118039950

Reviewed by Chris Dumez.

Cancelling the stream can trigger GC when creating the DOMException JS wrapper.
This might collect the FetchResponse object.
To make sure the FetchResponse object stays live for the whole time, we protect it in the callback.

* Source/WebCore/workers/service/context/ServiceWorkerFetch.cpp:
(WebCore::ServiceWorkerFetch::processResponse):

Originally-landed-as: 267815.569@safari-7617-branch (5ebdf97). rdar://121481543
Canonical link: https://commits.webkit.org/273420@main
  • Loading branch information
@youennf @robert-jenner
youennf authored and robert-jenner committed Jan 24, 2024
1 parent f62dc2a commit b46a8fc
Showing 1 changed file with 2 additions and 2 deletions.
4 changes: 2 additions & 2 deletions Source/WebCore/workers/service/context/ServiceWorkerFetch.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -129,8 +129,8 @@ static void processResponse(Ref<Client>&& client, Expected<Ref<FetchResponse>, s

if (response->isBodyReceivedByChunk()) {
client->setCancelledCallback([response = WeakPtr { response.get() }] {
if (response)
response->cancelStream();
if (RefPtr protectedResponse = response.get())
protectedResponse->cancelStream();
});
response->consumeBodyReceivedByChunk([client = WTFMove(client), response = WeakPtr { response.get() }] (auto&& result) mutable {
if (result.hasException()) {
Expand Down

0 comments on commit b46a8fc

Please sign in to comment.