Skip to site navigation (Press enter)

[webkit-changes] [145648] branches/safari-536.30-branch/Source/WebCore

lforschler Tue, 12 Mar 2013 18:10:36 -0700

Title: [145648] branches/safari-536.30-branch/Source/WebCore

Revision: 145648
Author: [email protected]
Date: 2013-03-12 18:12:32 -0700 (Tue, 12 Mar 2013)

Log Message

Merged r138863.  <rdar://problem/13335068>


Modified Paths

branches/safari-536.30-branch/Source/WebCore/ChangeLog
branches/safari-536.30-branch/Source/WebCore/dom/Document.cpp
branches/safari-536.30-branch/Source/WebCore/xml/parser/XMLDocumentParser.cpp
branches/safari-536.30-branch/Source/WebCore/xml/parser/XMLDocumentParserLibxml2.cpp
branches/safari-536.30-branch/Source/WebCore/xml/parser/XMLDocumentParserQt.cpp

Diff

Modified: branches/safari-536.30-branch/Source/WebCore/ChangeLog (145647 => 145648)


--- branches/safari-536.30-branch/Source/WebCore/ChangeLog	2013-03-13 01:06:15 UTC (rev 145647)
+++ branches/safari-536.30-branch/Source/WebCore/ChangeLog	2013-03-13 01:12:32 UTC (rev 145648)
@@ -1,5 +1,31 @@
 2013-03-12  Lucas Forschler  <[email protected]>
 
+        Merge r138863
+
+    2013-01-04  Abhishek Arya  <[email protected]>
+
+            Heap-use-after-free in WebCore::XMLDocumentParser::doEnd
+            https://bugs.webkit.org/show_bug.cgi?id=100152
+
+            Reviewed by Adam Barth.
+
+            XMLDocumentParser can be blown away inside document()->styleResolverChanged()
+            call. Protect it with a local RefPtr in Document::explitClose.    
+
+            No new tests. The site specific dependencies are hard to minimize.
+
+            * dom/Document.cpp:
+            (WebCore::Document::explicitClose): RefPtr m_parser into a local, since
+            it can be detached and nulled out in DocumentWriter::end().
+            * xml/parser/XMLDocumentParser.cpp:
+            (WebCore::XMLDocumentParser::end): Bail out when we are detached.
+            * xml/parser/XMLDocumentParserLibxml2.cpp:
+            (WebCore::XMLDocumentParser::doEnd): Bail out when we are detached.
+            * xml/parser/XMLDocumentParserQt.cpp:
+            (WebCore::XMLDocumentParser::doEnd): Bail out when we are detached.
+
+2013-03-12  Lucas Forschler  <[email protected]>
+
         Merge r138850
 
     2013-01-04  Abhishek Arya  <[email protected]>

Modified: branches/safari-536.30-branch/Source/WebCore/dom/Document.cpp (145647 => 145648)


--- branches/safari-536.30-branch/Source/WebCore/dom/Document.cpp	2013-03-13 01:06:15 UTC (rev 145647)
+++ branches/safari-536.30-branch/Source/WebCore/dom/Document.cpp	2013-03-13 01:12:32 UTC (rev 145648)
@@ -2359,8 +2359,8 @@
 
 void Document::explicitClose()
 {
-    if (m_parser)
-        m_parser->finish();
+    if (RefPtr<DocumentParser> parser = m_parser)
+        parser->finish();
 
     if (!m_frame) {
         // Because we have no frame, we don't know if all loading has completed,

Modified: branches/safari-536.30-branch/Source/WebCore/xml/parser/XMLDocumentParser.cpp (145647 => 145648)


--- branches/safari-536.30-branch/Source/WebCore/xml/parser/XMLDocumentParser.cpp	2013-03-13 01:06:15 UTC (rev 145647)
+++ branches/safari-536.30-branch/Source/WebCore/xml/parser/XMLDocumentParser.cpp	2013-03-13 01:12:32 UTC (rev 145648)
@@ -196,6 +196,11 @@
 
     doEnd();
 
+    // doEnd() call above can detach the parser and null out its document.
+    // In that case, we just bail out.
+    if (isDetached())
+        return;
+
     // doEnd() could process a script tag, thus pausing parsing.
     if (m_parserPaused)
         return;

Modified: branches/safari-536.30-branch/Source/WebCore/xml/parser/XMLDocumentParserLibxml2.cpp (145647 => 145648)


--- branches/safari-536.30-branch/Source/WebCore/xml/parser/XMLDocumentParserLibxml2.cpp	2013-03-13 01:06:15 UTC (rev 145647)
+++ branches/safari-536.30-branch/Source/WebCore/xml/parser/XMLDocumentParserLibxml2.cpp	2013-03-13 01:12:32 UTC (rev 145648)
@@ -1329,8 +1329,13 @@
 
         document()->setParsing(false); // Make the document think it's done, so it will apply XSL stylesheets.
         document()->styleResolverChanged(RecalcStyleImmediately);
+
+        // styleResolverChanged() call can detach the parser and null out its document.
+        // In that case, we just bail out.
+        if (isDetached())
+            return;
+
         document()->setParsing(true);
-
         DocumentParser::stopParsing();
     }
 #endif

Modified: branches/safari-536.30-branch/Source/WebCore/xml/parser/XMLDocumentParserQt.cpp (145647 => 145648)


--- branches/safari-536.30-branch/Source/WebCore/xml/parser/XMLDocumentParserQt.cpp	2013-03-13 01:06:15 UTC (rev 145647)
+++ branches/safari-536.30-branch/Source/WebCore/xml/parser/XMLDocumentParserQt.cpp	2013-03-13 01:12:32 UTC (rev 145648)
@@ -203,6 +203,12 @@
         document()->setTransformSource(adoptPtr(new TransformSource(m_originalSourceForTransform)));
         document()->setParsing(false); // Make the doc think it's done, so it will apply xsl sheets.
         document()->styleResolverChanged(RecalcStyleImmediately);
+
+        // styleResolverChanged() call can detach the parser and null out its document.
+        // In that case, we just bail out.
+        if (isDetached())
+            return;
+
         document()->setParsing(true);
         DocumentParser::stopParsing();
     }

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes