Title: [200762] branches/safari-601.1.46-branch/Source/WebCore
- Revision
- 200762
- Author
- [email protected]
- Date
- 2016-05-12 02:12:33 -0700 (Thu, 12 May 2016)
Log Message
Merge r200091. rdar://problem/26228870
Modified Paths
Diff
Modified: branches/safari-601.1.46-branch/Source/WebCore/ChangeLog (200761 => 200762)
--- branches/safari-601.1.46-branch/Source/WebCore/ChangeLog 2016-05-12 09:12:31 UTC (rev 200761)
+++ branches/safari-601.1.46-branch/Source/WebCore/ChangeLog 2016-05-12 09:12:33 UTC (rev 200762)
@@ -1,5 +1,29 @@
2016-05-12 Matthew Hanson <[email protected]>
+ Merge r200091. rdar://problem/26228870
+
+ 2016-04-26 Brent Fulgham <[email protected]>
+
+ GuardMalloc crash in WebCore::HTMLFrameElementBase::marginHeight()
+ https://bugs.webkit.org/show_bug.cgi?id=157020
+ <rdar://problem/25148315>
+
+ Reviewed by Darin Adler.
+
+ Calls to setIntegralAttribute triggers event handling code, which can cause
+ the underlying m_frameOwnerElement member to be deleted. We could clone this
+ object, but since we only want the width and height we should just read them
+ while we know the object is in a good state, then execute the potentially
+ mutating methods.
+
+ Tested by imported/blink/fast/dom/HTMLBodyElement/body-inserting-iframe-crash.html.
+
+ * html/HTMLBodyElement.cpp:
+ (WebCore::HTMLBodyElement::insertedInto): Read margin width and height before
+ calling setIntegralAttribute.
+
+2016-05-12 Matthew Hanson <[email protected]>
+
Merge r199243. rdar://problem/26228921
2016-04-08 Said Abou-Hallawa <sabouhallawa@apple,com>
Modified: branches/safari-601.1.46-branch/Source/WebCore/html/HTMLBodyElement.cpp (200761 => 200762)
--- branches/safari-601.1.46-branch/Source/WebCore/html/HTMLBodyElement.cpp 2016-05-12 09:12:31 UTC (rev 200761)
+++ branches/safari-601.1.46-branch/Source/WebCore/html/HTMLBodyElement.cpp 2016-05-12 09:12:33 UTC (rev 200762)
@@ -193,17 +193,22 @@
// FIXME: It's surprising this is web compatible since it means a marginwidth and marginheight attribute can
// magically appear on the <body> of all documents embedded through <iframe> or <frame>.
// FIXME: Perhaps this code should be in attach() instead of here.
- HTMLFrameOwnerElement* ownerElement = document().ownerElement();
- if (is<HTMLFrameElementBase>(ownerElement)) {
- HTMLFrameElementBase& ownerFrameElement = downcast<HTMLFrameElementBase>(*ownerElement);
- int marginWidth = ownerFrameElement.marginWidth();
- if (marginWidth != -1)
- setIntegralAttribute(marginwidthAttr, marginWidth);
- int marginHeight = ownerFrameElement.marginHeight();
- if (marginHeight != -1)
- setIntegralAttribute(marginheightAttr, marginHeight);
- }
+ auto* ownerElement = document().ownerElement();
+ if (!is<HTMLFrameElementBase>(ownerElement))
+ return InsertionDone;
+
+ auto& ownerFrameElement = downcast<HTMLFrameElementBase>(*ownerElement);
+ // Read values from the owner before setting any attributes, since setting an attribute can run arbitrary
+ // _javascript_, which might delete the owner element.
+ int marginWidth = ownerFrameElement.marginWidth();
+ int marginHeight = ownerFrameElement.marginHeight();
+
+ if (marginWidth != -1)
+ setIntegralAttribute(marginwidthAttr, marginWidth);
+ if (marginHeight != -1)
+ setIntegralAttribute(marginheightAttr, marginHeight);
+
return InsertionDone;
}
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
