Title: [200840] releases/WebKitGTK/webkit-2.12/Source/WebCore
- Revision
- 200840
- Author
- [email protected]
- Date
- 2016-05-13 04:38:40 -0700 (Fri, 13 May 2016)
Log Message
Merge r200091 - GuardMalloc crash in WebCore::HTMLFrameElementBase::marginHeight()
https://bugs.webkit.org/show_bug.cgi?id=157020
<rdar://problem/25148315>
Reviewed by Darin Adler.
Calls to setIntegralAttribute triggers event handling code, which can cause
the underlying m_frameOwnerElement member to be deleted. We could clone this
object, but since we only want the width and height we should just read them
while we know the object is in a good state, then execute the potentially
mutating methods.
Tested by imported/blink/fast/dom/HTMLBodyElement/body-inserting-iframe-crash.html.
* html/HTMLBodyElement.cpp:
(WebCore::HTMLBodyElement::insertedInto): Read margin width and height before
calling setIntegralAttribute.
Modified Paths
Diff
Modified: releases/WebKitGTK/webkit-2.12/Source/WebCore/ChangeLog (200839 => 200840)
--- releases/WebKitGTK/webkit-2.12/Source/WebCore/ChangeLog 2016-05-13 11:36:41 UTC (rev 200839)
+++ releases/WebKitGTK/webkit-2.12/Source/WebCore/ChangeLog 2016-05-13 11:38:40 UTC (rev 200840)
@@ -1,3 +1,23 @@
+2016-04-26 Brent Fulgham <[email protected]>
+
+ GuardMalloc crash in WebCore::HTMLFrameElementBase::marginHeight()
+ https://bugs.webkit.org/show_bug.cgi?id=157020
+ <rdar://problem/25148315>
+
+ Reviewed by Darin Adler.
+
+ Calls to setIntegralAttribute triggers event handling code, which can cause
+ the underlying m_frameOwnerElement member to be deleted. We could clone this
+ object, but since we only want the width and height we should just read them
+ while we know the object is in a good state, then execute the potentially
+ mutating methods.
+
+ Tested by imported/blink/fast/dom/HTMLBodyElement/body-inserting-iframe-crash.html.
+
+ * html/HTMLBodyElement.cpp:
+ (WebCore::HTMLBodyElement::insertedInto): Read margin width and height before
+ calling setIntegralAttribute.
+
2016-04-25 Brent Fulgham <[email protected]>
Add port 4190 (managesieve) to port blacklist
Modified: releases/WebKitGTK/webkit-2.12/Source/WebCore/html/HTMLBodyElement.cpp (200839 => 200840)
--- releases/WebKitGTK/webkit-2.12/Source/WebCore/html/HTMLBodyElement.cpp 2016-05-13 11:36:41 UTC (rev 200839)
+++ releases/WebKitGTK/webkit-2.12/Source/WebCore/html/HTMLBodyElement.cpp 2016-05-13 11:38:40 UTC (rev 200840)
@@ -193,17 +193,22 @@
// FIXME: It's surprising this is web compatible since it means a marginwidth and marginheight attribute can
// magically appear on the <body> of all documents embedded through <iframe> or <frame>.
// FIXME: Perhaps this code should be in attach() instead of here.
- HTMLFrameOwnerElement* ownerElement = document().ownerElement();
- if (is<HTMLFrameElementBase>(ownerElement)) {
- HTMLFrameElementBase& ownerFrameElement = downcast<HTMLFrameElementBase>(*ownerElement);
- int marginWidth = ownerFrameElement.marginWidth();
- if (marginWidth != -1)
- setIntegralAttribute(marginwidthAttr, marginWidth);
- int marginHeight = ownerFrameElement.marginHeight();
- if (marginHeight != -1)
- setIntegralAttribute(marginheightAttr, marginHeight);
- }
+ auto* ownerElement = document().ownerElement();
+ if (!is<HTMLFrameElementBase>(ownerElement))
+ return InsertionDone;
+
+ auto& ownerFrameElement = downcast<HTMLFrameElementBase>(*ownerElement);
+ // Read values from the owner before setting any attributes, since setting an attribute can run arbitrary
+ // _javascript_, which might delete the owner element.
+ int marginWidth = ownerFrameElement.marginWidth();
+ int marginHeight = ownerFrameElement.marginHeight();
+
+ if (marginWidth != -1)
+ setIntegralAttribute(marginwidthAttr, marginWidth);
+ if (marginHeight != -1)
+ setIntegralAttribute(marginheightAttr, marginHeight);
+
return InsertionDone;
}
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
