Title: [115625] trunk
- Revision
- 115625
- Author
- [email protected]
- Date
- 2012-04-30 05:55:58 -0700 (Mon, 30 Apr 2012)
Log Message
Protect current element in HTMLLinkElement::setCSSStyleSheet
https://bugs.webkit.org/show_bug.cgi?id=85166
Source/WebCore:
Reviewed by Andreas Kling.
Stylesheet loading can trigger script execution.
Test: fast/css/cached-sheet-restore-crash.html
* html/HTMLLinkElement.cpp:
(WebCore::HTMLLinkElement::setCSSStyleSheet):
LayoutTests:
Reviewed by Andreas Kling.
* fast/css/cached-sheet-restore-crash-expected.txt: Added.
* fast/css/cached-sheet-restore-crash.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (115624 => 115625)
--- trunk/LayoutTests/ChangeLog 2012-04-30 11:58:42 UTC (rev 115624)
+++ trunk/LayoutTests/ChangeLog 2012-04-30 12:55:58 UTC (rev 115625)
@@ -1,3 +1,13 @@
+2012-04-30 Antti Koivisto <[email protected]>
+
+ Protect current element in HTMLLinkElement::setCSSStyleSheet
+ https://bugs.webkit.org/show_bug.cgi?id=85166
+
+ Reviewed by Andreas Kling.
+
+ * fast/css/cached-sheet-restore-crash-expected.txt: Added.
+ * fast/css/cached-sheet-restore-crash.html: Added.
+
2012-04-30 Pavel Feldman <[email protected]>
Not reviewed: chromium expectations updated.
Added: trunk/LayoutTests/fast/css/cached-sheet-restore-crash-expected.txt (0 => 115625)
--- trunk/LayoutTests/fast/css/cached-sheet-restore-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/css/cached-sheet-restore-crash-expected.txt 2012-04-30 12:55:58 UTC (rev 115625)
@@ -0,0 +1 @@
+This test passes if it doesn't crash.
Added: trunk/LayoutTests/fast/css/cached-sheet-restore-crash.html (0 => 115625)
--- trunk/LayoutTests/fast/css/cached-sheet-restore-crash.html (rev 0)
+++ trunk/LayoutTests/fast/css/cached-sheet-restore-crash.html 2012-04-30 12:55:58 UTC (rev 115625)
@@ -0,0 +1,10 @@
+<script>
+if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+</script>
+<body>
+<link href="" rel="stylesheet">
+<link href="" rel="stylesheet">
+<script>
+document.body.innerHTML = "This test passes if it doesn't crash.";
+</script>
Modified: trunk/Source/WebCore/ChangeLog (115624 => 115625)
--- trunk/Source/WebCore/ChangeLog 2012-04-30 11:58:42 UTC (rev 115624)
+++ trunk/Source/WebCore/ChangeLog 2012-04-30 12:55:58 UTC (rev 115625)
@@ -1,3 +1,17 @@
+2012-04-30 Antti Koivisto <[email protected]>
+
+ Protect current element in HTMLLinkElement::setCSSStyleSheet
+ https://bugs.webkit.org/show_bug.cgi?id=85166
+
+ Reviewed by Andreas Kling.
+
+ Stylesheet loading can trigger script execution.
+
+ Test: fast/css/cached-sheet-restore-crash.html
+
+ * html/HTMLLinkElement.cpp:
+ (WebCore::HTMLLinkElement::setCSSStyleSheet):
+
2012-04-29 Keishi Hattori <[email protected]>
Build fix for LocalizedDateMac.mm
Modified: trunk/Source/WebCore/html/HTMLLinkElement.cpp (115624 => 115625)
--- trunk/Source/WebCore/html/HTMLLinkElement.cpp 2012-04-30 11:58:42 UTC (rev 115624)
+++ trunk/Source/WebCore/html/HTMLLinkElement.cpp 2012-04-30 12:55:58 UTC (rev 115625)
@@ -293,6 +293,8 @@
ASSERT(!m_sheet);
return;
}
+ // Completing the sheet load may cause scripts to execute.
+ RefPtr<Node> protector(this);
CSSParserContext parserContext(document(), baseURL, charset);
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes
