Skip to site navigation (Press enter)

[webkit-changes] [223520] releases/WebKitGTK/webkit-2.18

carlosgc Tue, 17 Oct 2017 04:43:06 -0700

Title: [223520] releases/WebKitGTK/webkit-2.18

Revision: 223520
Author: [email protected]
Date: 2017-10-17 04:42:47 -0700 (Tue, 17 Oct 2017)

Log Message

Merge r223028 - Nullptr deref in WebCore::Node::computeEditability
https://bugs.webkit.org/show_bug.cgi?id=177905
<rdar://problem/34138402>


Reviewed by Darin Adler.

Source/WebCore:

Script can run when setting focus, because a blur event and a focus event are generated.
A handler for one of these events can cause the focused element to be cleared. We should
handle this possibility gracefully.

Test: fast/dom/focus-shift-crash.html

* dom/Document.cpp:
(WebCore::Document::setFocusedElement):

LayoutTests:

* fast/dom/focus-shift-crash-expected.txt: Added.
* fast/dom/focus-shift-crash.html: Added.

Modified Paths

releases/WebKitGTK/webkit-2.18/LayoutTests/ChangeLog
releases/WebKitGTK/webkit-2.18/Source/WebCore/ChangeLog
releases/WebKitGTK/webkit-2.18/Source/WebCore/dom/Document.cpp

Added Paths

releases/WebKitGTK/webkit-2.18/LayoutTests/fast/dom/focus-shift-crash-expected.txt
releases/WebKitGTK/webkit-2.18/LayoutTests/fast/dom/focus-shift-crash.html

Diff

Modified: releases/WebKitGTK/webkit-2.18/LayoutTests/ChangeLog (223519 => 223520)


--- releases/WebKitGTK/webkit-2.18/LayoutTests/ChangeLog	2017-10-17 11:37:47 UTC (rev 223519)
+++ releases/WebKitGTK/webkit-2.18/LayoutTests/ChangeLog	2017-10-17 11:42:47 UTC (rev 223520)
@@ -1,3 +1,14 @@
+2017-10-08  Brent Fulgham  <[email protected]>
+
+        Nullptr deref in WebCore::Node::computeEditability
+        https://bugs.webkit.org/show_bug.cgi?id=177905
+        <rdar://problem/34138402>
+
+        Reviewed by Darin Adler.
+
+        * fast/dom/focus-shift-crash-expected.txt: Added.
+        * fast/dom/focus-shift-crash.html: Added.
+
 2017-10-04  Joanmarie Diggs  <[email protected]>
 
         AX: [ATK] aria-pressed="mixed" should be exposed via ATK_STATE_INDETERMINATE

Added: releases/WebKitGTK/webkit-2.18/LayoutTests/fast/dom/focus-shift-crash-expected.txt (0 => 223520)


--- releases/WebKitGTK/webkit-2.18/LayoutTests/fast/dom/focus-shift-crash-expected.txt	                        (rev 0)
+++ releases/WebKitGTK/webkit-2.18/LayoutTests/fast/dom/focus-shift-crash-expected.txt	2017-10-17 11:42:47 UTC (rev 223520)
@@ -0,0 +1 @@
+The test passes if it does not crash or assert in debug mode.

Added: releases/WebKitGTK/webkit-2.18/LayoutTests/fast/dom/focus-shift-crash.html (0 => 223520)


--- releases/WebKitGTK/webkit-2.18/LayoutTests/fast/dom/focus-shift-crash.html	                        (rev 0)
+++ releases/WebKitGTK/webkit-2.18/LayoutTests/fast/dom/focus-shift-crash.html	2017-10-17 11:42:47 UTC (rev 223520)
@@ -0,0 +1,32 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner) {
+    testRunner.dumpAsText();
+    testRunner.waitUntilDone();
+}
+
+function blurHandler() {
+    var body = document.getElementById("testBody");
+    var frame = document.getElementById("testFrame");
+    body.appendChild(frame);
+    if (window.testRunner)
+        testRunner.notifyDone();
+}
+
+function audioHandler() {
+    var frameSet = document.createElement("frameset");
+    frameSet.setAttribute("onblur", "blurHandler()");
+
+    var frame = document.getElementById("testFrame");
+    frame.focus();
+}
+</script>
+</head>
+<body id="testBody">
+    The test passes if it does not crash or assert in debug mode.
+    <audio src="" _onloadstart_="audioHandler()"></audio>
+    <iframe id="testFrame" srcdoc="test"></iframe>
+</body>
+</html>

Modified: releases/WebKitGTK/webkit-2.18/Source/WebCore/ChangeLog (223519 => 223520)


--- releases/WebKitGTK/webkit-2.18/Source/WebCore/ChangeLog	2017-10-17 11:37:47 UTC (rev 223519)
+++ releases/WebKitGTK/webkit-2.18/Source/WebCore/ChangeLog	2017-10-17 11:42:47 UTC (rev 223520)
@@ -1,3 +1,20 @@
+2017-10-08  Brent Fulgham  <[email protected]>
+
+        Nullptr deref in WebCore::Node::computeEditability
+        https://bugs.webkit.org/show_bug.cgi?id=177905
+        <rdar://problem/34138402>
+
+        Reviewed by Darin Adler.
+
+        Script can run when setting focus, because a blur event and a focus event are generated.
+        A handler for one of these events can cause the focused element to be cleared. We should
+        handle this possibility gracefully.
+
+        Test: fast/dom/focus-shift-crash.html
+
+        * dom/Document.cpp:
+        (WebCore::Document::setFocusedElement):
+
 2017-10-05  Frederic Wang  <[email protected]>
 
         Update Source/ThirdParty/woff2 to 22c256bc457777744ba14b7325a6e8e0e7dec91c

Modified: releases/WebKitGTK/webkit-2.18/Source/WebCore/dom/Document.cpp (223519 => 223520)


--- releases/WebKitGTK/webkit-2.18/Source/WebCore/dom/Document.cpp	2017-10-17 11:37:47 UTC (rev 223519)
+++ releases/WebKitGTK/webkit-2.18/Source/WebCore/dom/Document.cpp	2017-10-17 11:42:47 UTC (rev 223520)
@@ -3845,6 +3845,13 @@
 
         m_focusedElement->setFocus(true);
 
+        // The setFocus call triggers a blur and a focus event. Event handlers could cause the focused element to be cleared.
+        if (m_focusedElement != newFocusedElement) {
+            // handler shifted focus
+            focusChangeBlocked = true;
+            goto SetFocusedNodeDone;
+        }
+
         if (m_focusedElement->isRootEditableElement())
             frame()->editor().didBeginEditing();

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes