[webkit-changes] [131820] trunk/Source/WebCore

Thu, 18 Oct 2012 16:05:42 -0700

Title: [131820] trunk/Source/WebCore
Revision
131820
Author
[email protected]
Date
2012-10-18 16:06:59 -0700 (Thu, 18 Oct 2012)

Log Message

[GTK] Invalid read from WebKit::DOMObjectCache::clearByFrame
https://bugs.webkit.org/show_bug.cgi?id=82882

Patch by Claudio Saavedra <[email protected]> on 2012-10-18
Reviewed by Xan Lopez.

Based on a patch by Milan Crha <[email protected]>

Prevent an invalid access to a pointer while clearing the DOM
object cache.
* bindings/gobject/DOMObjectCache.cpp:
(WebKit::DOMObjectCache::clearByFrame): Prevent an invalid access.

Modified Paths

Diff

Modified: trunk/Source/WebCore/ChangeLog (131819 => 131820)


--- trunk/Source/WebCore/ChangeLog	2012-10-18 23:06:53 UTC (rev 131819)
+++ trunk/Source/WebCore/ChangeLog	2012-10-18 23:06:59 UTC (rev 131820)
@@ -1,3 +1,17 @@
+2012-10-18  Claudio Saavedra  <[email protected]>
+
+        [GTK] Invalid read from WebKit::DOMObjectCache::clearByFrame
+        https://bugs.webkit.org/show_bug.cgi?id=82882
+
+        Reviewed by Xan Lopez.
+
+        Based on a patch by Milan Crha <[email protected]>
+
+        Prevent an invalid access to a pointer while clearing the DOM
+        object cache.
+        * bindings/gobject/DOMObjectCache.cpp:
+        (WebKit::DOMObjectCache::clearByFrame): Prevent an invalid access.
+
 2012-10-18  Sheriff Bot  <[email protected]>
 
         Unreviewed, rolling out r131810.

Modified: trunk/Source/WebCore/bindings/gobject/DOMObjectCache.cpp (131819 => 131820)


--- trunk/Source/WebCore/bindings/gobject/DOMObjectCache.cpp	2012-10-18 23:06:53 UTC (rev 131819)
+++ trunk/Source/WebCore/bindings/gobject/DOMObjectCache.cpp	2012-10-18 23:06:59 UTC (rev 131820)
@@ -97,8 +97,17 @@
             // If this is the last unref we are going to do,
             // disconnect the weak ref. We cannot do it afterwards
             // because the object might be dead at that point.
-            if (data->timesReturned == 1)
+            if (data->timesReturned == 1) {
                 g_object_weak_unref(data->object, weakRefNotify, &objectDead);
+                // At this point, the next time the DOMObject is
+                // unref'ed it will be finalized,
+                // DOMObject::finalize() will call
+                // DOMObjectCache::forget(), which will free 'data'.
+                // Toggling 'objectDead' here will ensure we don't
+                // dereference an invalid pointer in the next
+                // iteration.
+                objectDead = TRUE;
+            }
             data->timesReturned--;
             g_object_unref(data->object);
         }

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to