Title: [95791] trunk
- Revision
- 95791
- Author
- [email protected]
- Date
- 2011-09-23 03:56:23 -0700 (Fri, 23 Sep 2011)
Log Message
use after free in WebCore::SVGTRefElement::updateReferencedText
https://bugs.webkit.org/show_bug.cgi?id=67555
Patch by Rob Buis <[email protected]> on 2011-09-23
Reviewed by Nikolas Zimmermann.
Source/WebCore:
Event listeners can outlive the tref element that created them when
the tref is cloned and then garbage collected, causing a dangling pointer to the
tref. To fix this do not install event listener until the tref is inserted into the document.
Test: svg/custom/tref-clone-crash.html
* svg/SVGTRefElement.cpp:
(WebCore::SVGTRefElement::svgAttributeChanged):
(WebCore::SVGTRefElement::insertedIntoDocument):
* svg/SVGTRefElement.h:
LayoutTests:
Test that cloned tref does not cause a crash.
* svg/custom/tref-clone-crash-expected.txt: Added.
* svg/custom/tref-clone-crash.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (95790 => 95791)
--- trunk/LayoutTests/ChangeLog 2011-09-23 10:46:54 UTC (rev 95790)
+++ trunk/LayoutTests/ChangeLog 2011-09-23 10:56:23 UTC (rev 95791)
@@ -1,3 +1,15 @@
+2011-09-23 Rob Buis <[email protected]>
+
+ use after free in WebCore::SVGTRefElement::updateReferencedText
+ https://bugs.webkit.org/show_bug.cgi?id=67555
+
+ Reviewed by Nikolas Zimmermann.
+
+ Test that cloned tref does not cause a crash.
+
+ * svg/custom/tref-clone-crash-expected.txt: Added.
+ * svg/custom/tref-clone-crash.html: Added.
+
2011-09-23 Xan Lopez <[email protected]>
Crash on editing/pasteboard/drag-drop-input-in-svg.svg
Added: trunk/LayoutTests/svg/custom/tref-clone-crash-expected.txt (0 => 95791)
--- trunk/LayoutTests/svg/custom/tref-clone-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/svg/custom/tref-clone-crash-expected.txt 2011-09-23 10:56:23 UTC (rev 95791)
@@ -0,0 +1 @@
+PASS
Added: trunk/LayoutTests/svg/custom/tref-clone-crash.html (0 => 95791)
--- trunk/LayoutTests/svg/custom/tref-clone-crash.html (rev 0)
+++ trunk/LayoutTests/svg/custom/tref-clone-crash.html 2011-09-23 10:56:23 UTC (rev 95791)
@@ -0,0 +1,33 @@
+<svg xmlns:xlink="http://www.w3.org/1999/xlink" _onload_="runTest()">
+ <defs>
+ <style id="style"/>
+ <text id="ref"></text>
+ </defs>
+ <g><use xlink:href=""
+ <g><text><tref id="tref" xlink:href=""
+ <script>
+ function gc() {
+ if (window.GCController)
+ GCController.collect();
+ else {
+ for (var i = 0; i < 10000; ++i)
+ new Object;
+ }
+ }
+ if (window.layoutTestController) {
+ layoutTestController.dumpAsText();
+ layoutTestController.waitUntilDone();
+ }
+ function runTest() {
+ var tref = document.getElementById("tref");
+ tref.cloneNode(true);
+ gc();
+ var elem = document.getElementById("style");
+ var parent = elem.parentNode;
+ parent.insertBefore(document.createElement("source"), elem);
+ document.body.innerHTML = "PASS";
+ if (window.layoutTestController)
+ layoutTestController.notifyDone();
+ }
+ </script>
+</svg>
Modified: trunk/Source/WebCore/ChangeLog (95790 => 95791)
--- trunk/Source/WebCore/ChangeLog 2011-09-23 10:46:54 UTC (rev 95790)
+++ trunk/Source/WebCore/ChangeLog 2011-09-23 10:56:23 UTC (rev 95791)
@@ -1,3 +1,21 @@
+2011-09-23 Rob Buis <[email protected]>
+
+ use after free in WebCore::SVGTRefElement::updateReferencedText
+ https://bugs.webkit.org/show_bug.cgi?id=67555
+
+ Reviewed by Nikolas Zimmermann.
+
+ Event listeners can outlive the tref element that created them when
+ the tref is cloned and then garbage collected, causing a dangling pointer to the
+ tref. To fix this do not install event listener until the tref is inserted into the document.
+
+ Test: svg/custom/tref-clone-crash.html
+
+ * svg/SVGTRefElement.cpp:
+ (WebCore::SVGTRefElement::svgAttributeChanged):
+ (WebCore::SVGTRefElement::insertedIntoDocument):
+ * svg/SVGTRefElement.h:
+
2011-09-23 Vsevolod Vlasov <[email protected]>
ASSERTION FAILED: documentLoader in WebKit/Source/WebCore/inspector/InspectorInstrumentation.cpp(597)
Modified: trunk/Source/WebCore/svg/SVGTRefElement.cpp (95790 => 95791)
--- trunk/Source/WebCore/svg/SVGTRefElement.cpp 2011-09-23 10:46:54 UTC (rev 95790)
+++ trunk/Source/WebCore/svg/SVGTRefElement.cpp 2011-09-23 10:56:23 UTC (rev 95791)
@@ -193,9 +193,11 @@
return;
}
updateReferencedText();
- m_eventListener = SubtreeModificationEventListener::create(this, id);
- ASSERT(target->parentNode());
- target->parentNode()->addEventListener(eventNames().DOMSubtreeModifiedEvent, m_eventListener.get(), false);
+ if (inDocument()) {
+ m_eventListener = SubtreeModificationEventListener::create(this, id);
+ ASSERT(target->parentNode());
+ target->parentNode()->addEventListener(eventNames().DOMSubtreeModifiedEvent, m_eventListener.get(), false);
+ }
if (RenderObject* renderer = this->renderer())
RenderSVGResource::markForLayoutAndParentResourceInvalidation(renderer);
return;
@@ -240,6 +242,21 @@
}
}
+void SVGTRefElement::insertedIntoDocument()
+{
+ SVGStyledElement::insertedIntoDocument();
+ String id;
+ Element* target = SVGURIReference::targetElementFromIRIString(href(), document(), &id);
+ if (!target) {
+ document()->accessSVGExtensions()->addPendingResource(id, this);
+ return;
+ }
+ updateReferencedText();
+ m_eventListener = SubtreeModificationEventListener::create(this, id);
+ ASSERT(target->parentNode());
+ target->parentNode()->addEventListener(eventNames().DOMSubtreeModifiedEvent, m_eventListener.get(), false);
+}
+
void SVGTRefElement::removedFromDocument()
{
SVGStyledElement::removedFromDocument();
Modified: trunk/Source/WebCore/svg/SVGTRefElement.h (95790 => 95791)
--- trunk/Source/WebCore/svg/SVGTRefElement.h 2011-09-23 10:46:54 UTC (rev 95790)
+++ trunk/Source/WebCore/svg/SVGTRefElement.h 2011-09-23 10:56:23 UTC (rev 95791)
@@ -47,6 +47,7 @@
virtual bool childShouldCreateRenderer(Node*) const;
virtual bool rendererIsNeeded(const NodeRenderingContext&);
+ virtual void insertedIntoDocument();
virtual void removedFromDocument();
void updateReferencedText();
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes
