Heap-use-after-free in DocumentLoader::stopLoading

https://bugs.webkit.org/show_bug.cgi?id=103656

Reviewed by Eric Seidel.

Source/WebCore:

Test: fast/dom/ready-state-change-crash.html

* html/parser/HTMLDocumentParser.cpp:
(WebCore::HTMLDocumentParser::prepareToStopParsing): Bail out
if the parser is detached due to mutation event.
* loader/DocumentLoader.cpp:
(WebCore::DocumentLoader::stopLoading): Move the protectors for
frame and document loader to the start of the function. Call to
m_frame->loader()->stopLoading() can change document ready state
and fire mutation event which might blow the document loader from
underneath.

Change-Id: Ib51a1eb062e552eb0cfa7e4ac647e59a4c6b433d
Reviewed-by: Simon Hausmann <simon.hausmann@digia.com>

3 files changed, 27 insertions, 3 deletions

diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog
index 68e52b02d..098afc0b0 100644
--- a/Source/WebCore/ChangeLog
+++ b/Source/WebCore/ChangeLog
@@ -1,3 +1,22 @@
+2013-01-06  Abhishek Arya  <inferno@chromium.org>
+
+        Heap-use-after-free in DocumentLoader::stopLoading
+        https://bugs.webkit.org/show_bug.cgi?id=103656
+
+        Reviewed by Eric Seidel.
+
+        Test: fast/dom/ready-state-change-crash.html
+
+        * html/parser/HTMLDocumentParser.cpp:
+        (WebCore::HTMLDocumentParser::prepareToStopParsing): Bail out
+        if the parser is detached due to mutation event.
+        * loader/DocumentLoader.cpp:
+        (WebCore::DocumentLoader::stopLoading): Move the protectors for
+        frame and document loader to the start of the function. Call to
+        m_frame->loader()->stopLoading() can change document ready state
+        and fire mutation event which might blow the document loader from
+        underneath.
+
 2013-01-15  Allan Sandfeld Jensen  <allan.jensen@digia.com>
 
         [Qt][CSS Shaders] Make custom filter render in Wk1 mode
diff --git a/Source/WebCore/html/parser/HTMLDocumentParser.cpp b/Source/WebCore/html/parser/HTMLDocumentParser.cpp
index 935f5d057..5932bb990 100644
--- a/Source/WebCore/html/parser/HTMLDocumentParser.cpp
+++ b/Source/WebCore/html/parser/HTMLDocumentParser.cpp
@@ -146,6 +146,11 @@ void HTMLDocumentParser::prepareToStopParsing()
     if (m_scriptRunner)
         document()->setReadyState(Document::Interactive);
 
+    // Setting the ready state above can fire mutation event and detach us
+    // from underneath. In that case, just bail out.
+    if (isDetached())
+        return;
+
     attemptToRunDeferredScriptsAndEnd();
 }
 
diff --git a/Source/WebCore/loader/DocumentLoader.cpp b/Source/WebCore/loader/DocumentLoader.cpp
index 9f5f04861..74072938b 100644
--- a/Source/WebCore/loader/DocumentLoader.cpp
+++ b/Source/WebCore/loader/DocumentLoader.cpp
@@ -214,6 +214,9 @@ void DocumentLoader::mainReceivedError(const ResourceError& error)
 // but not loads initiated by child frames' data sources -- that's the WebFrame's job.
 void DocumentLoader::stopLoading()
 {
+    RefPtr<Frame> protectFrame(m_frame);
+    RefPtr<DocumentLoader> protectLoader(this);
+
     // In some rare cases, calling FrameLoader::stopLoading could cause isLoading() to return false.
     // (This can happen when there's a single XMLHttpRequest currently loading and stopLoading causes it
     // to stop loading. Because of this, we need to save it so we don't return early.
@@ -250,9 +253,6 @@ void DocumentLoader::stopLoading()
     // See <rdar://problem/9673866> for more details.
     if (m_isStopping)
         return;
-    
-    RefPtr<Frame> protectFrame(m_frame);
-    RefPtr<DocumentLoader> protectLoader(this);
 
     m_isStopping = true;