Gabriel Ivăncescu : mshtml: Hold ref to inner window when calling external code. - wine-commits

9 Mar 2023

Module: wine
Branch: master
Commit: fbeab911c960953fca600396df9f805fd5291864
URL:    https://gitlab.winehq.org/wine/wine/-/commit/fbeab911c960953fca600396df9f805...
Author: Gabriel Ivăncescu gabrielopcode@gmail.com
Date:   Wed Mar  8 19:36:06 2023 +0200
mshtml: Hold ref to inner window when calling external code.
It's possible for it to get detached while processing an external callback
notification, such as when navigation happens during it.
Signed-off-by: Gabriel Ivăncescu gabrielopcode@gmail.com
---
dlls/mshtml/mutation.c | 12 ++++++++----
 dlls/mshtml/navigate.c | 12 ++++++++++--
 dlls/mshtml/persist.c  |  8 ++++++--
 3 files changed, 24 insertions(+), 8 deletions(-)

diff --git a/dlls/mshtml/mutation.c b/dlls/mshtml/mutation.c
index 05ebf706dd0..89bba9cb195 100644
--- a/dlls/mshtml/mutation.c
+++ b/dlls/mshtml/mutation.c
@@ -292,11 +292,13 @@ static void parse_complete(HTMLDocumentObj *doc)
 static nsresult run_end_load(HTMLDocumentNode *This, nsISupports *arg1, nsISupports *arg2)
 {
     HTMLDocumentObj *doc_obj = This->doc_obj;
+    HTMLInnerWindow *window = This->window;
TRACE("(%p)\n", This);
if(!doc_obj)
         return NS_OK;
+    IHTMLWindow2_AddRef(&window->base.IHTMLWindow2_iface);
if(This == doc_obj->doc_node) {
         /*
@@ -310,8 +312,11 @@ static nsresult run_end_load(HTMLDocumentNode *This, nsISupports *arg1, nsISuppo
bind_event_scripts(This);
-    This->window->performance_timing->dom_interactive_time = get_time_stamp();
-    set_ready_state(This->outer_window, READYSTATE_INTERACTIVE);
+    if(This->window == window) {
+        window->performance_timing->dom_interactive_time = get_time_stamp();
+        set_ready_state(This->outer_window, READYSTATE_INTERACTIVE);
+    }
+    IHTMLWindow2_Release(&window->base.IHTMLWindow2_iface);
     return NS_OK;
 }
@@ -368,14 +373,13 @@ static nsresult run_insert_script(HTMLDocumentNode *doc, nsISupports *script_ifa
         free(iter);
     }
-    IHTMLWindow2_Release(&window->base.IHTMLWindow2_iface);
-
     if(nsparser) {
         window->parser_callback_cnt--;
         nsIParser_EndEvaluatingParserInsertedScript(nsparser);
         nsIParser_Release(nsparser);
     }
+    IHTMLWindow2_Release(&window->base.IHTMLWindow2_iface);
     IHTMLScriptElement_Release(&script_elem->IHTMLScriptElement_iface);
return NS_OK;
diff --git a/dlls/mshtml/navigate.c b/dlls/mshtml/navigate.c
index b2fc0473aa1..c78dfde43dc 100644
--- a/dlls/mshtml/navigate.c
+++ b/dlls/mshtml/navigate.c
@@ -1419,8 +1419,11 @@ static void stop_request_task_destr(task_t *_task)
static HRESULT async_stop_request(nsChannelBSC *This)
 {
+    HTMLInnerWindow *window = This->bsc.window;
     stop_request_task_t *task;
+    HRESULT hres;
+    IHTMLWindow2_AddRef(&window->base.IHTMLWindow2_iface);
     if(!This->bsc.read) {
         TRACE("No data read, calling OnStartRequest\n");
         on_start_nsrequest(This);
@@ -1433,7 +1436,9 @@ static HRESULT async_stop_request(nsChannelBSC *This)
     IBindStatusCallback_AddRef(&This->bsc.IBindStatusCallback_iface);
     task->bsc = This;
-    return push_task(&task->header, stop_request_proc, stop_request_task_destr, This->bsc.window->task_magic);
+    hres = push_task(&task->header, stop_request_proc, stop_request_task_destr, window->task_magic);
+    IHTMLWindow2_Release(&window->base.IHTMLWindow2_iface);
+    return hres;
 }
static void handle_navigation_error(nsChannelBSC *This, DWORD result)
@@ -2069,6 +2074,7 @@ typedef struct {
 static void navigate_javascript_proc(task_t *_task)
 {
     navigate_javascript_task_t *task = (navigate_javascript_task_t*)_task;
+    HTMLInnerWindow *inner_window = task->window->base.inner_window;
     HTMLOuterWindow *window = task->window;
     HTMLDocumentObj *doc = NULL;
     BSTR code = NULL;
@@ -2080,6 +2086,7 @@ static void navigate_javascript_proc(task_t *_task)
         doc = window->browser->doc;
         IUnknown_AddRef(doc->outer_unk);
     }
+    IHTMLWindow2_AddRef(&inner_window->base.IHTMLWindow2_iface);
hres = IUri_GetPath(task->uri, &code);
     if(hres != S_OK) {
@@ -2097,7 +2104,7 @@ static void navigate_javascript_proc(task_t *_task)
         set_download_state(doc, 1);
V_VT(&v) = VT_EMPTY;
-    hres = exec_script(window->base.inner_window, code, L"jscript", &v);
+    hres = exec_script(inner_window, code, L"jscript", &v);
     SysFreeString(code);
     if(SUCCEEDED(hres) && V_VT(&v) != VT_EMPTY) {
         FIXME("javascirpt URL returned %s\n", debugstr_variant(&v));
@@ -2112,6 +2119,7 @@ static void navigate_javascript_proc(task_t *_task)
     }
done:
+    IHTMLWindow2_Release(&inner_window->base.IHTMLWindow2_iface);
     if(doc)
         IUnknown_Release(doc->outer_unk);
 }
diff --git a/dlls/mshtml/persist.c b/dlls/mshtml/persist.c
index 620f6428d35..35ffd7824dd 100644
--- a/dlls/mshtml/persist.c
+++ b/dlls/mshtml/persist.c
@@ -437,20 +437,24 @@ HRESULT set_moniker(HTMLOuterWindow *window, IMoniker *mon, IUri *nav_uri, IBind
static void notif_readystate(HTMLOuterWindow *window)
 {
+    HTMLInnerWindow *inner_window = window->base.inner_window;
     DOMEvent *event;
     HRESULT hres;
window->readystate_pending = FALSE;
+    IHTMLWindow2_AddRef(&inner_window->base.IHTMLWindow2_iface);
+
     if(is_main_content_window(window))
         call_property_onchanged(&window->browser->doc->cp_container, DISPID_READYSTATE);
-    hres = create_document_event(window->base.inner_window->doc, EVENTID_READYSTATECHANGE, &event);
+    hres = create_document_event(inner_window->doc, EVENTID_READYSTATECHANGE, &event);
     if(SUCCEEDED(hres)) {
         event->no_event_obj = TRUE;
-        dispatch_event(&window->base.inner_window->doc->node.event_target, event);
+        dispatch_event(&inner_window->doc->node.event_target, event);
         IDOMEvent_Release(&event->IDOMEvent_iface);
     }
+    IHTMLWindow2_Release(&inner_window->base.IHTMLWindow2_iface);
if(window->frame_element) {
         hres = create_document_event(window->frame_element->element.node.doc, EVENTID_READYSTATECHANGE, &event);

    