[webkit-changes] [257456] releases/WebKitGTK/webkit-2.28/Source/WebCore

Wed, 26 Feb 2020 02:59:28 -0800

Title: [257456] releases/WebKitGTK/webkit-2.28/Source/WebCore
Revision
257456
Author
[email protected]
Date
2020-02-26 02:58:13 -0800 (Wed, 26 Feb 2020)

Log Message

Merge r257292 - PS-2019-006: [GTK] WebKit - AXObjectCache - m_deferredFocusedNodeChange - UaF
https://bugs.webkit.org/show_bug.cgi?id=204342

Reviewed by Carlos Garcia Campos.

m_deferredFocusedNodeChange keeps pairs of a old node and a new one
to update a focused node later. When a node is removed in the document,
it is also removed from the pair vector. The problem is only comparing
the new node in each pair with a removed node decides the removal.
In the case where the removed node lives in m_deferredFocusedNodeChange
as an old node, a crash happens while we get a renderer of the removed node
to handle focused elements. To fix this, we find all entries of which old node
is matched to the removed node, and set their first value null.

No new tests since no functionality changed.

* accessibility/AXObjectCache.cpp:
(WebCore::AXObjectCache::remove):

Modified Paths

Diff

Modified: releases/WebKitGTK/webkit-2.28/Source/WebCore/ChangeLog (257455 => 257456)


--- releases/WebKitGTK/webkit-2.28/Source/WebCore/ChangeLog	2020-02-26 10:58:08 UTC (rev 257455)
+++ releases/WebKitGTK/webkit-2.28/Source/WebCore/ChangeLog	2020-02-26 10:58:13 UTC (rev 257456)
@@ -1,3 +1,24 @@
+2020-02-24  ChangSeok Oh  <[email protected]>
+
+        PS-2019-006: [GTK] WebKit - AXObjectCache - m_deferredFocusedNodeChange - UaF
+        https://bugs.webkit.org/show_bug.cgi?id=204342
+
+        Reviewed by Carlos Garcia Campos.
+
+        m_deferredFocusedNodeChange keeps pairs of a old node and a new one
+        to update a focused node later. When a node is removed in the document,
+        it is also removed from the pair vector. The problem is only comparing
+        the new node in each pair with a removed node decides the removal.
+        In the case where the removed node lives in m_deferredFocusedNodeChange
+        as an old node, a crash happens while we get a renderer of the removed node
+        to handle focused elements. To fix this, we find all entries of which old node
+        is matched to the removed node, and set their first value null.
+
+        No new tests since no functionality changed.
+
+        * accessibility/AXObjectCache.cpp:
+        (WebCore::AXObjectCache::remove):
+
 2020-02-24  Chris Dumez  <[email protected]>
 
         Document / DOMWindow objects get leaked on CNN.com due to CSSTransitions

Modified: releases/WebKitGTK/webkit-2.28/Source/WebCore/accessibility/AXObjectCache.cpp (257455 => 257456)


--- releases/WebKitGTK/webkit-2.28/Source/WebCore/accessibility/AXObjectCache.cpp	2020-02-26 10:58:08 UTC (rev 257455)
+++ releases/WebKitGTK/webkit-2.28/Source/WebCore/accessibility/AXObjectCache.cpp	2020-02-26 10:58:13 UTC (rev 257456)
@@ -877,6 +877,12 @@
     m_deferredFocusedNodeChange.removeAllMatching([&node](auto& entry) -> bool {
         return entry.second == &node;
     });
+    // Set nullptr to the old focused node if it is being removed.
+    std::for_each(m_deferredFocusedNodeChange.begin(), m_deferredFocusedNodeChange.end(), [&node](auto& entry) {
+        if (entry.first == &node)
+            entry.first = nullptr;
+    });
+
     removeNodeForUse(node);
 
     remove(m_nodeObjectMapping.take(&node));

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to