[curl] Segfault in WebCore::CurlRequest::setupPOST

https://bugs.webkit.org/show_bug.cgi?id=178434 Patch by Basuke Suzuki <Basuke.Suzuki@sony.com> on 2017-10-19 Reviewed by Ryosuke Niwa. * platform/network/curl/CurlRequest.cpp: (WebCore::CurlRequest::resolveBlobReferences): (WebCore::CurlRequest::setupPOST): Canonical link: https://commits.webkit.org/194701@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@223681 268f45cc-cd09-0410-ab3c-d52691b4dbfc
WebKit · Oct 19, 2017 · b8e5859d9288634386cc1c5a160e3439e0252425 · b8e5859
1 parent cf2980e
commit b8e5859d9288634386cc1c5a160e3439e0252425
Showing with 20 additions and 5 deletions.

+11 −0 Source/WebCore/ChangeLog

+9 −5 Source/WebCore/platform/network/curl/CurlRequest.cpp
diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog
@@ -1,3 +1,14 @@
+2017-10-19  Basuke Suzuki  <Basuke.Suzuki@sony.com>
+
+        [curl] Segfault in WebCore::CurlRequest::setupPOST
+        https://bugs.webkit.org/show_bug.cgi?id=178434
+
+        Reviewed by Ryosuke Niwa.
+
+        * platform/network/curl/CurlRequest.cpp:
+        (WebCore::CurlRequest::resolveBlobReferences):
+        (WebCore::CurlRequest::setupPOST):
+
 2017-10-18  Ryosuke Niwa  <rniwa@webkit.org>
 
         Don't expose raw HTML in pasteboard to the web content

diff --git a/Source/WebCore/platform/network/curl/CurlRequest.cpp b/Source/WebCore/platform/network/curl/CurlRequest.cpp
@@ -391,12 +391,12 @@ void CurlRequest::resolveBlobReferences(ResourceRequest& request)
 {
     ASSERT(isMainThread());
 
-    RefPtr<FormData> formData = request.httpBody();
-    if (!formData)
+    auto body = request.httpBody();
+    if (!body || body->isEmpty())
         return;
 
     // Resolve the blob elements so the formData can correctly report it's size.
-    formData = formData->resolveBlobReferences();
+    RefPtr<FormData> formData = body->resolveBlobReferences();
     request.setHTTPBody(WTFMove(formData));
 }
 
@@ -418,13 +418,17 @@ void CurlRequest::setupPOST(ResourceRequest& request)
 {
     m_curlHandle->enableHttpPostRequest();
 
-    auto numElements = request.httpBody()->elements().size();
+    auto body = request.httpBody();
+    if (!body || body->isEmpty())
+        return;
+
+    auto numElements = body->elements().size();
     if (!numElements)
         return;
 
     // Do not stream for simple POST data
     if (numElements == 1) {
-        m_postBuffer = request.httpBody()->flatten();
+        m_postBuffer = body->flatten();
         if (m_postBuffer.size())
             m_curlHandle->setPostFields(m_postBuffer.data(), m_postBuffer.size());
     } else