commit e6f2a6b9602bcf744ea6cd690f1c2e08cd57403f
author cdumez@apple.com <cdumez@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc> Thu Mar 25 01:48:19 2021 +0000
committer cdumez@apple.com <cdumez@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc> Thu Mar 25 01:48:19 2021 +0000
tree c3f8c0d736b9a6506b31e3833c27da71893ce01d
parent 21f2791b75cd9c41fd6e537ba4f205acd4f92a82

bindings/js/JSEventListener.cpp:281:91: runtime error: reference binding to null pointer of type 'WebCore::ScriptExecutionContext'
https://bugs.webkit.org/show_bug.cgi?id=223719

Reviewed by Darin Adler.

Make sure we null check the scriptExecutionContext before we dereference it.

* bindings/js/JSEventListener.cpp:
(WebCore::eventHandlerAttribute):
(WebCore::windowEventHandlerAttribute):


git-svn-id: http://svn.webkit.org/repository/webkit/trunk@274996 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/WebCore/ChangeLog

diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog
index f7599e48..65958b7 100644
--- a/Source/WebCore/ChangeLog
+++ b/Source/WebCore/ChangeLog
@@ -1,5 +1,18 @@
 2021-03-24  Chris Dumez  <cdumez@apple.com>
 
+        bindings/js/JSEventListener.cpp:281:91: runtime error: reference binding to null pointer of type 'WebCore::ScriptExecutionContext'
+        https://bugs.webkit.org/show_bug.cgi?id=223719
+
+        Reviewed by Darin Adler.
+
+        Make sure we null check the scriptExecutionContext before we dereference it.
+
+        * bindings/js/JSEventListener.cpp:
+        (WebCore::eventHandlerAttribute):
+        (WebCore::windowEventHandlerAttribute):
+
+2021-03-24  Chris Dumez  <cdumez@apple.com>
+
         Port FontDescriptionKey::computeHash() from legacy IntegerHasher to Hasher
         https://bugs.webkit.org/show_bug.cgi?id=223701
 

Source/WebCore/bindings/js/JSEventListener.cpp

diff --git a/Source/WebCore/bindings/js/JSEventListener.cpp b/Source/WebCore/bindings/js/JSEventListener.cpp
index 01f15f8..c08f5f1 100644
--- a/Source/WebCore/bindings/js/JSEventListener.cpp
+++ b/Source/WebCore/bindings/js/JSEventListener.cpp
@@ -278,7 +278,10 @@
 
 JSC::JSValue eventHandlerAttribute(EventTarget& target, const AtomString& eventType, DOMWrapperWorld& isolatedWorld)
 {
-    return eventHandlerAttribute(target.attributeEventListener(eventType, isolatedWorld), *target.scriptExecutionContext());
+    auto* context = target.scriptExecutionContext();
+    if (!context)
+        return jsNull();
+    return eventHandlerAttribute(target.attributeEventListener(eventType, isolatedWorld), *context);
 }
 
 void setEventHandlerAttribute(JSC::JSGlobalObject& lexicalGlobalObject, JSC::JSObject& wrapper, EventTarget& target, const AtomString& eventType, JSC::JSValue value)