Skip to site navigation (Press enter)

[webkit-changes] [127630] branches/chromium/1229

cevans Wed, 05 Sep 2012 12:26:19 -0700

Title: [127630] branches/chromium/1229

Revision: 127630
Author: [email protected]
Date: 2012-09-05 12:27:07 -0700 (Wed, 05 Sep 2012)

Log Message

Merge 127117
BUG=143609
Review URL: https://chromiumcodereview.appspot.com/10909084


Modified Paths

branches/chromium/1229/Source/WebCore/bindings/v8/V8AbstractEventListener.h


Added Paths

branches/chromium/1229/LayoutTests/fast/events/set-attribute-listener-window-onerror-crash-expected.txt
branches/chromium/1229/LayoutTests/fast/events/set-attribute-listener-window-onerror-crash.html

Diff

Copied: branches/chromium/1229/LayoutTests/fast/events/set-attribute-listener-window-onerror-crash-expected.txt (from rev 127117, trunk/LayoutTests/fast/events/set-attribute-listener-window-onerror-crash-expected.txt) (0 => 127630)


--- branches/chromium/1229/LayoutTests/fast/events/set-attribute-listener-window-onerror-crash-expected.txt	                        (rev 0)
+++ branches/chromium/1229/LayoutTests/fast/events/set-attribute-listener-window-onerror-crash-expected.txt	2012-09-05 19:27:07 UTC (rev 127630)
@@ -0,0 +1,2 @@
+CONSOLE MESSAGE: line 16: Uncaught SyntaxError: Unexpected token ;
+Test passes if it does not crash.

Copied: branches/chromium/1229/LayoutTests/fast/events/set-attribute-listener-window-onerror-crash.html (from rev 127117, trunk/LayoutTests/fast/events/set-attribute-listener-window-onerror-crash.html) (0 => 127630)


--- branches/chromium/1229/LayoutTests/fast/events/set-attribute-listener-window-onerror-crash.html	                        (rev 0)
+++ branches/chromium/1229/LayoutTests/fast/events/set-attribute-listener-window-onerror-crash.html	2012-09-05 19:27:07 UTC (rev 127630)
@@ -0,0 +1,17 @@
+<!DOCTYPE html>
+<html>
+<body>
+Test passes if it does not crash.
+<script>
+if (window.testRunner)
+    testRunner.dumpAsText();
+
+function errorHandler() {
+    document.body.setAttribute("onclick", "var x=;");
+}
+
+window._onerror_ = errorHandler;
+document.body.setAttribute("onclick", "var x=;");
+document.body.onclick;
+</script>
+</html>

Modified: branches/chromium/1229/Source/WebCore/bindings/v8/V8AbstractEventListener.h (127629 => 127630)


--- branches/chromium/1229/Source/WebCore/bindings/v8/V8AbstractEventListener.h	2012-09-05 19:20:34 UTC (rev 127629)
+++ branches/chromium/1229/Source/WebCore/bindings/v8/V8AbstractEventListener.h	2012-09-05 19:27:07 UTC (rev 127630)
@@ -79,6 +79,11 @@
         // Returns the listener object, either a function or an object.
         v8::Local<v8::Object> getListenerObject(ScriptExecutionContext* context)
         {
+            // prepareListenerObject can potentially deref this event listener
+            // as it may attempt to compile a function (lazy event listener), get an error
+            // and invoke onerror callback which can execute arbitrary JS code.
+            // Protect this event listener to keep it alive.
+            RefPtr<V8AbstractEventListener> guard(this);
             prepareListenerObject(context);
             return v8::Local<v8::Object>::New(m_listener);
         }

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo/webkit-changes