Title: [199245] trunk/Source/WebCore
- Revision
- 199245
- Author
- [email protected]
- Date
- 2016-04-08 13:46:25 -0700 (Fri, 08 Apr 2016)
Log Message
[WK1] Wheel event callback removing the window causes crash in WebCore
https://bugs.webkit.org/show_bug.cgi?id=156409
<rdar://problem/25631267>
Reviewed by Simon Fraser.
Null check the Widget before using it, since the iframe may have been removed
from its parent document inside the event handler.
This is the WK1 fix for https://bugs.webkit.org/show_bug.cgi?id=150871.
Tested by fast/events/wheel-event-destroys-frame.html
* page/EventHandler.cpp:
(WebCore::widgetForElement): Added.
(WebCore::EventHandler::handleWheelEvent): Use new helper function to
clean up the code, and allow us to check that the Widget has not been
destroyed during the event handler.
Modified Paths
Diff
Modified: trunk/Source/WebCore/ChangeLog (199244 => 199245)
--- trunk/Source/WebCore/ChangeLog 2016-04-08 20:19:26 UTC (rev 199244)
+++ trunk/Source/WebCore/ChangeLog 2016-04-08 20:46:25 UTC (rev 199245)
@@ -1,3 +1,24 @@
+2016-04-08 Brent Fulgham <[email protected]>
+
+ [WK1] Wheel event callback removing the window causes crash in WebCore
+ https://bugs.webkit.org/show_bug.cgi?id=156409
+ <rdar://problem/25631267>
+
+ Reviewed by Simon Fraser.
+
+ Null check the Widget before using it, since the iframe may have been removed
+ from its parent document inside the event handler.
+
+ This is the WK1 fix for https://bugs.webkit.org/show_bug.cgi?id=150871.
+
+ Tested by fast/events/wheel-event-destroys-frame.html
+
+ * page/EventHandler.cpp:
+ (WebCore::widgetForElement): Added.
+ (WebCore::EventHandler::handleWheelEvent): Use new helper function to
+ clean up the code, and allow us to check that the Widget has not been
+ destroyed during the event handler.
+
2016-04-08 Said Abou-Hallawa <sabouhallawa@apple,com>
Timing attack on SVG feComposite filter circumvents same-origin policy
Modified: trunk/Source/WebCore/page/EventHandler.cpp (199244 => 199245)
--- trunk/Source/WebCore/page/EventHandler.cpp 2016-04-08 20:19:26 UTC (rev 199244)
+++ trunk/Source/WebCore/page/EventHandler.cpp 2016-04-08 20:46:25 UTC (rev 199245)
@@ -2610,6 +2610,18 @@
}
#endif
+static Widget* widgetForElement(const Element& element)
+{
+ RenderElement* target = element.renderer();
+ if (!target)
+ return nullptr;
+
+ if (!is<RenderWidget>(target))
+ return nullptr;
+
+ return downcast<RenderWidget>(*target).widget();
+}
+
bool EventHandler::handleWheelEvent(const PlatformWheelEvent& event)
{
RenderView* renderView = m_frame.contentRenderer();
@@ -2650,18 +2662,21 @@
if (element) {
if (isOverWidget) {
- RenderElement* target = element->renderer();
- if (is<RenderWidget>(target)) {
- Widget* widget = downcast<RenderWidget>(*target).widget();
- if (widget && passWheelEventToWidget(event, *widget)) {
- m_isHandlingWheelEvent = false;
- if (scrollableArea)
- scrollableArea->setScrolledProgrammatically(false);
- platformNotifyIfEndGesture(adjustedEvent, scrollableArea);
- if (!widget->platformWidget())
- return true;
- return platformCompletePlatformWidgetWheelEvent(event, *widget, scrollableContainer.get());
- }
+ Widget* widget = widgetForElement(*element);
+ if (widget && passWheelEventToWidget(event, *widget)) {
+ m_isHandlingWheelEvent = false;
+
+ // We do another check on the widget because the event handler can run JS which results in the frame getting destroyed.
+ Widget* widget = widgetForElement(*element);
+ if (!widget)
+ return false;
+
+ if (scrollableArea)
+ scrollableArea->setScrolledProgrammatically(false);
+ platformNotifyIfEndGesture(adjustedEvent, scrollableArea);
+ if (!widget->platformWidget())
+ return true;
+ return platformCompletePlatformWidgetWheelEvent(event, *widget, scrollableContainer.get());
}
}
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
