From 9a0c51e753db9e4164df97801f132237e62387de Mon Sep 17 00:00:00 2001 From: Allan Sandfeld Jensen Date: Wed, 23 Jan 2013 12:06:02 +0100 Subject: Heap-use-after-free in DocumentLoader::stopLoading https://bugs.webkit.org/show_bug.cgi?id=103656 Reviewed by Eric Seidel. Source/WebCore: Test: fast/dom/ready-state-change-crash.html * html/parser/HTMLDocumentParser.cpp: (WebCore::HTMLDocumentParser::prepareToStopParsing): Bail out if the parser is detached due to mutation event. * loader/DocumentLoader.cpp: (WebCore::DocumentLoader::stopLoading): Move the protectors for frame and document loader to the start of the function. Call to m_frame->loader()->stopLoading() can change document ready state and fire mutation event which might blow the document loader from underneath. Change-Id: Ib51a1eb062e552eb0cfa7e4ac647e59a4c6b433d Reviewed-by: Simon Hausmann --- Source/WebCore/ChangeLog | 19 +++++++++++++++++++ Source/WebCore/html/parser/HTMLDocumentParser.cpp | 5 +++++ Source/WebCore/loader/DocumentLoader.cpp | 6 +++--- 3 files changed, 27 insertions(+), 3 deletions(-) (limited to 'Source') diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog index 68e52b02d..098afc0b0 100644 --- a/Source/WebCore/ChangeLog +++ b/Source/WebCore/ChangeLog @@ -1,3 +1,22 @@ +2013-01-06 Abhishek Arya + + Heap-use-after-free in DocumentLoader::stopLoading + https://bugs.webkit.org/show_bug.cgi?id=103656 + + Reviewed by Eric Seidel. + + Test: fast/dom/ready-state-change-crash.html + + * html/parser/HTMLDocumentParser.cpp: + (WebCore::HTMLDocumentParser::prepareToStopParsing): Bail out + if the parser is detached due to mutation event. + * loader/DocumentLoader.cpp: + (WebCore::DocumentLoader::stopLoading): Move the protectors for + frame and document loader to the start of the function. Call to + m_frame->loader()->stopLoading() can change document ready state + and fire mutation event which might blow the document loader from + underneath. + 2013-01-15 Allan Sandfeld Jensen [Qt][CSS Shaders] Make custom filter render in Wk1 mode diff --git a/Source/WebCore/html/parser/HTMLDocumentParser.cpp b/Source/WebCore/html/parser/HTMLDocumentParser.cpp index 935f5d057..5932bb990 100644 --- a/Source/WebCore/html/parser/HTMLDocumentParser.cpp +++ b/Source/WebCore/html/parser/HTMLDocumentParser.cpp @@ -146,6 +146,11 @@ void HTMLDocumentParser::prepareToStopParsing() if (m_scriptRunner) document()->setReadyState(Document::Interactive); + // Setting the ready state above can fire mutation event and detach us + // from underneath. In that case, just bail out. + if (isDetached()) + return; + attemptToRunDeferredScriptsAndEnd(); } diff --git a/Source/WebCore/loader/DocumentLoader.cpp b/Source/WebCore/loader/DocumentLoader.cpp index 9f5f04861..74072938b 100644 --- a/Source/WebCore/loader/DocumentLoader.cpp +++ b/Source/WebCore/loader/DocumentLoader.cpp @@ -214,6 +214,9 @@ void DocumentLoader::mainReceivedError(const ResourceError& error) // but not loads initiated by child frames' data sources -- that's the WebFrame's job. void DocumentLoader::stopLoading() { + RefPtr protectFrame(m_frame); + RefPtr protectLoader(this); + // In some rare cases, calling FrameLoader::stopLoading could cause isLoading() to return false. // (This can happen when there's a single XMLHttpRequest currently loading and stopLoading causes it // to stop loading. Because of this, we need to save it so we don't return early. @@ -250,9 +253,6 @@ void DocumentLoader::stopLoading() // See for more details. if (m_isStopping) return; - - RefPtr protectFrame(m_frame); - RefPtr protectLoader(this); m_isStopping = true; -- cgit v1.2.1