Google Git
Sign in
webkit / WebKit / bf5e404d002c3bc940847d95da577ad8e77bc5fe^! / .
commitbf5e404d002c3bc940847d95da577ad8e77bc5fe[log] [tgz]
authorinferno@chromium.org <inferno@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>Sun Jan 06 18:53:15 2013 +0000
committerinferno@chromium.org <inferno@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>Sun Jan 06 18:53:15 2013 +0000
tree7187d212679bec73f68fb0f12e9dac860830e4c2
parent331e721f2ceae882432cbcb446becd0e386ec54c [diff]
Heap-use-after-free in WebCore::Document::implicitClose
https://bugs.webkit.org/show_bug.cgi?id=105655

Reviewed by Eric Seidel.

Source/WebCore:

Test: fast/dom/window-load-crash.html

* dom/Document.cpp:
(WebCore::Document::implicitClose): RefPtr protect |this| document since it
can be destroyed in the dispatchWindowLoadEvent call.

LayoutTests:

* fast/dom/window-load-crash-expected.txt: Added.
* fast/dom/window-load-crash.html: Added.


git-svn-id: http://svn.webkit.org/repository/webkit/trunk@138918 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index 0dcd832..0413187 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog

@@ -1,3 +1,13 @@
+2013-01-06  Abhishek Arya  <inferno@chromium.org>
+
+        Heap-use-after-free in WebCore::Document::implicitClose
+        https://bugs.webkit.org/show_bug.cgi?id=105655
+
+        Reviewed by Eric Seidel.
+
+        * fast/dom/window-load-crash-expected.txt: Added.
+        * fast/dom/window-load-crash.html: Added.
+
 2013-01-06  Mike West  <mkwst@chromium.org>
 
         Seamless: IFrame's padding isn't taken into account when calculating its height.

diff --git a/LayoutTests/fast/dom/window-load-crash-expected.txt b/LayoutTests/fast/dom/window-load-crash-expected.txt
new file mode 100644
index 0000000..07d41c3
--- /dev/null
+++ b/LayoutTests/fast/dom/window-load-crash-expected.txt

@@ -0,0 +1,2 @@
+Blocked access to external URL http://blocked/does-not-exist.html
+Test passes if it does not crash.  

diff --git a/LayoutTests/fast/dom/window-load-crash.html b/LayoutTests/fast/dom/window-load-crash.html
new file mode 100755
index 0000000..27cccdf
--- /dev/null
+++ b/LayoutTests/fast/dom/window-load-crash.html

@@ -0,0 +1,19 @@
+<!DOCTYPE html>
+<html>
+Test passes if it does not crash.
+<base href=http://blocked>
+<script>
+if (window.testRunner) {
+    testRunner.dumpAsText();
+    testRunner.waitUntilDone();
+}
+
+function crash()
+{
+    GCController.collect();
+    if (window.testRunner)
+        testRunner.notifyDone();
+}
+</script>
+<iframe onload=crash() src=does-not-exist.html srcdoc="<script>window.onload = function() { frames[0].document.getElementsByTagName('a')[0].click(); }</script><iframe seamless srcdoc='<a href=does-not-exist.html>'>">
+</html>

diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog
index 018acab..899456d 100644
--- a/Source/WebCore/ChangeLog
+++ b/Source/WebCore/ChangeLog

@@ -1,3 +1,16 @@
+2013-01-06  Abhishek Arya  <inferno@chromium.org>
+
+        Heap-use-after-free in WebCore::Document::implicitClose
+        https://bugs.webkit.org/show_bug.cgi?id=105655
+
+        Reviewed by Eric Seidel.
+
+        Test: fast/dom/window-load-crash.html
+
+        * dom/Document.cpp:
+        (WebCore::Document::implicitClose): RefPtr protect |this| document since it
+        can be destroyed in the dispatchWindowLoadEvent call.
+
 2013-01-06  Mike West  <mkwst@chromium.org>
 
         Seamless: IFrame's padding isn't taken into account when calculating its height.

diff --git a/Source/WebCore/dom/Document.cpp b/Source/WebCore/dom/Document.cpp
index 115b3f6..a402c29 100644
--- a/Source/WebCore/dom/Document.cpp
+++ b/Source/WebCore/dom/Document.cpp

@@ -2360,6 +2360,9 @@
     if (!doload)
         return;
 
+    // Call to dispatchWindowLoadEvent can blow us from underneath.
+    RefPtr<Document> protect(this);
+
     m_processingLoadEvent = true;
 
     ScriptableDocumentParser* parser = scriptableDocumentParser();