diff options
author | Allan Sandfeld Jensen <allan.jensen@digia.com> | 2013-01-23 12:06:02 +0100 |
---|---|---|
committer | The Qt Project <gerrit-noreply@qt-project.org> | 2013-01-23 18:59:15 +0100 |
commit | 9a0c51e753db9e4164df97801f132237e62387de (patch) | |
tree | d71db78a027e28e1ac8ac5c1cb46c6cd20bb05ff /Source | |
parent | cc73ba23ef1f3b28be84e7e5228298418a453b20 (diff) | |
download | qtwebkit-9a0c51e753db9e4164df97801f132237e62387de.tar.gz |
Heap-use-after-free in DocumentLoader::stopLoading
https://bugs.webkit.org/show_bug.cgi?id=103656
Reviewed by Eric Seidel.
Source/WebCore:
Test: fast/dom/ready-state-change-crash.html
* html/parser/HTMLDocumentParser.cpp:
(WebCore::HTMLDocumentParser::prepareToStopParsing): Bail out
if the parser is detached due to mutation event.
* loader/DocumentLoader.cpp:
(WebCore::DocumentLoader::stopLoading): Move the protectors for
frame and document loader to the start of the function. Call to
m_frame->loader()->stopLoading() can change document ready state
and fire mutation event which might blow the document loader from
underneath.
Change-Id: Ib51a1eb062e552eb0cfa7e4ac647e59a4c6b433d
Reviewed-by: Simon Hausmann <simon.hausmann@digia.com>
Diffstat (limited to 'Source')
-rw-r--r-- | Source/WebCore/ChangeLog | 19 | ||||
-rw-r--r-- | Source/WebCore/html/parser/HTMLDocumentParser.cpp | 5 | ||||
-rw-r--r-- | Source/WebCore/loader/DocumentLoader.cpp | 6 |
3 files changed, 27 insertions, 3 deletions
diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog index 68e52b02d..098afc0b0 100644 --- a/Source/WebCore/ChangeLog +++ b/Source/WebCore/ChangeLog @@ -1,3 +1,22 @@ +2013-01-06 Abhishek Arya <inferno@chromium.org> + + Heap-use-after-free in DocumentLoader::stopLoading + https://bugs.webkit.org/show_bug.cgi?id=103656 + + Reviewed by Eric Seidel. + + Test: fast/dom/ready-state-change-crash.html + + * html/parser/HTMLDocumentParser.cpp: + (WebCore::HTMLDocumentParser::prepareToStopParsing): Bail out + if the parser is detached due to mutation event. + * loader/DocumentLoader.cpp: + (WebCore::DocumentLoader::stopLoading): Move the protectors for + frame and document loader to the start of the function. Call to + m_frame->loader()->stopLoading() can change document ready state + and fire mutation event which might blow the document loader from + underneath. + 2013-01-15 Allan Sandfeld Jensen <allan.jensen@digia.com> [Qt][CSS Shaders] Make custom filter render in Wk1 mode diff --git a/Source/WebCore/html/parser/HTMLDocumentParser.cpp b/Source/WebCore/html/parser/HTMLDocumentParser.cpp index 935f5d057..5932bb990 100644 --- a/Source/WebCore/html/parser/HTMLDocumentParser.cpp +++ b/Source/WebCore/html/parser/HTMLDocumentParser.cpp @@ -146,6 +146,11 @@ void HTMLDocumentParser::prepareToStopParsing() if (m_scriptRunner) document()->setReadyState(Document::Interactive); + // Setting the ready state above can fire mutation event and detach us + // from underneath. In that case, just bail out. + if (isDetached()) + return; + attemptToRunDeferredScriptsAndEnd(); } diff --git a/Source/WebCore/loader/DocumentLoader.cpp b/Source/WebCore/loader/DocumentLoader.cpp index 9f5f04861..74072938b 100644 --- a/Source/WebCore/loader/DocumentLoader.cpp +++ b/Source/WebCore/loader/DocumentLoader.cpp @@ -214,6 +214,9 @@ void DocumentLoader::mainReceivedError(const ResourceError& error) // but not loads initiated by child frames' data sources -- that's the WebFrame's job. void DocumentLoader::stopLoading() { + RefPtr<Frame> protectFrame(m_frame); + RefPtr<DocumentLoader> protectLoader(this); + // In some rare cases, calling FrameLoader::stopLoading could cause isLoading() to return false. // (This can happen when there's a single XMLHttpRequest currently loading and stopLoading causes it // to stop loading. Because of this, we need to save it so we don't return early. @@ -250,9 +253,6 @@ void DocumentLoader::stopLoading() // See <rdar://problem/9673866> for more details. if (m_isStopping) return; - - RefPtr<Frame> protectFrame(m_frame); - RefPtr<DocumentLoader> protectLoader(this); m_isStopping = true; |