Title: [125951] trunk
- Revision
- 125951
- Author
- [email protected]
- Date
- 2012-08-17 17:06:39 -0700 (Fri, 17 Aug 2012)
Log Message
Disconnect UndoManager when its undo scope host is destroyed
https://bugs.webkit.org/show_bug.cgi?id=94388
Patch by Sukolsak Sakshuwong <[email protected]> on 2012-08-17
Reviewed by Ryosuke Niwa.
Source/WebCore:
Disconnect UndoManager in Element's destructor to prevent
use-after-free vulnerabilities.
Test: editing/undomanager/undoscopehost-use-after-free.html
* dom/Element.cpp:
(WebCore::Element::~Element):
LayoutTests:
* editing/undomanager/undoscopehost-use-after-free-expected.txt: Added.
* editing/undomanager/undoscopehost-use-after-free.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (125950 => 125951)
--- trunk/LayoutTests/ChangeLog 2012-08-17 23:57:47 UTC (rev 125950)
+++ trunk/LayoutTests/ChangeLog 2012-08-18 00:06:39 UTC (rev 125951)
@@ -1,3 +1,13 @@
+2012-08-17 Sukolsak Sakshuwong <[email protected]>
+
+ Disconnect UndoManager when its undo scope host is destroyed
+ https://bugs.webkit.org/show_bug.cgi?id=94388
+
+ Reviewed by Ryosuke Niwa.
+
+ * editing/undomanager/undoscopehost-use-after-free-expected.txt: Added.
+ * editing/undomanager/undoscopehost-use-after-free.html: Added.
+
2012-08-17 Sheriff Bot <[email protected]>
Unreviewed, rolling out r125922.
Added: trunk/LayoutTests/editing/undomanager/undoscopehost-use-after-free-expected.txt (0 => 125951)
--- trunk/LayoutTests/editing/undomanager/undoscopehost-use-after-free-expected.txt (rev 0)
+++ trunk/LayoutTests/editing/undomanager/undoscopehost-use-after-free-expected.txt 2012-08-18 00:06:39 UTC (rev 125951)
@@ -0,0 +1,11 @@
+This tests that undoManager doesn't have use-after-free vulnerabilities after its undoScopeHost has been reclaimed by GC.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+call transact() after the undoScopeHost has been reclaimed.
+PASS undoManager.transact(transaction) threw exception Error: INVALID_ACCESS_ERR: DOM Exception 15.
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Added: trunk/LayoutTests/editing/undomanager/undoscopehost-use-after-free.html (0 => 125951)
--- trunk/LayoutTests/editing/undomanager/undoscopehost-use-after-free.html (rev 0)
+++ trunk/LayoutTests/editing/undomanager/undoscopehost-use-after-free.html 2012-08-18 00:06:39 UTC (rev 125951)
@@ -0,0 +1,32 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src=""
+</head>
+<body>
+<div id="div" undoscope></div>
+<script>
+description("This tests that undoManager doesn't have use-after-free vulnerabilities "
+ + "after its undoScopeHost has been reclaimed by GC.");
+
+var div = document.getElementById("div");
+var undoManager = div.undoManager;
+
+div.parentNode.removeChild(div);
+div = null;
+gc();
+
+var transaction = {
+ "execute": function() { },
+ "undo": function() { },
+ "redo": function() { }
+};
+
+debug("call transact() after the undoScopeHost has been reclaimed.");
+shouldThrow("undoManager.transact(transaction)", "'Error: INVALID_ACCESS_ERR: DOM Exception 15'");
+
+var successfullyParsed = true;
+</script>
+<script src=""
+</body>
+</html>
Modified: trunk/Source/WebCore/ChangeLog (125950 => 125951)
--- trunk/Source/WebCore/ChangeLog 2012-08-17 23:57:47 UTC (rev 125950)
+++ trunk/Source/WebCore/ChangeLog 2012-08-18 00:06:39 UTC (rev 125951)
@@ -1,3 +1,18 @@
+2012-08-17 Sukolsak Sakshuwong <[email protected]>
+
+ Disconnect UndoManager when its undo scope host is destroyed
+ https://bugs.webkit.org/show_bug.cgi?id=94388
+
+ Reviewed by Ryosuke Niwa.
+
+ Disconnect UndoManager in Element's destructor to prevent
+ use-after-free vulnerabilities.
+
+ Test: editing/undomanager/undoscopehost-use-after-free.html
+
+ * dom/Element.cpp:
+ (WebCore::Element::~Element):
+
2012-08-17 Dan Bernstein <[email protected]>
Fixed incorrect references to JSVoidCallback.{cpp,h} in the project file.
Modified: trunk/Source/WebCore/dom/Element.cpp (125950 => 125951)
--- trunk/Source/WebCore/dom/Element.cpp 2012-08-17 23:57:47 UTC (rev 125950)
+++ trunk/Source/WebCore/dom/Element.cpp 2012-08-18 00:06:39 UTC (rev 125951)
@@ -146,6 +146,13 @@
ASSERT(m_attributeData);
m_attributeData->detachAttrObjectsFromElement(this);
}
+
+#if ENABLE(UNDO_MANAGER)
+ if (hasRareData() && elementRareData()->m_undoManager) {
+ elementRareData()->m_undoManager->disconnect();
+ elementRareData()->m_undoManager.clear();
+ }
+#endif
}
inline ElementRareData* Element::elementRareData() const
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo/webkit-changes
