Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Evergreen:11.1:kernel-2.6.32
libwebkit
libwebkit-use-after-free.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File libwebkit-use-after-free.patch of Package libwebkit
Index: webkit-1.0.1/WebCore/ChangeLog =================================================================== --- webkit-1.0.1.orig/WebCore/ChangeLog +++ webkit-1.0.1/WebCore/ChangeLog @@ -1,3 +1,32 @@ +2008-06-26 Eric Seidel <eric@webkit.org> + + Reviewed by Beth Dakin. + + CSS @import statements can cause DocLoader to use + a dead Frame pointer. + https://bugs.webkit.org/show_bug.cgi?id=19618 + + The fix is to get rid of the Frame pointer on DocLoader. + + I also took this opportunity to clean up Document::detach + a little to make it clear why we clear the m_frame pointer + there, and to note that in the future we should stop + using Node::detach to mean "tear down the whole rendering + tree and detach from the frame". + + Test: I don't know how to make a good test for this, the test + we have is network timing dependent and does not make a good + layout test. + + * dom/Document.cpp: + (WebCore::Document::Document): + (WebCore::Document::detach): + (WebCore::Document::clearFramePointer): + * dom/Document.h: + * loader/DocLoader.cpp: + (WebCore::DocLoader::frame): + * loader/DocLoader.h: + 2008-06-15 Darin Adler <darin@apple.com> Reviewed by Mitz. Index: webkit-1.0.1/WebCore/dom/Document.cpp =================================================================== --- webkit-1.0.1.orig/WebCore/dom/Document.cpp +++ webkit-1.0.1/WebCore/dom/Document.cpp @@ -308,8 +308,7 @@ Document::Document(Frame* frame, bool is m_axObjectCache = 0; - // FIXME: DocLoader probably no longer needs the frame argument - m_docLoader = new DocLoader(frame, this); + m_docLoader = new DocLoader(this); visuallyOrdered = false; m_bParsing = false; @@ -1285,9 +1284,12 @@ void Document::detach() if (render) render->destroy(); - - // FIXME: is this needed or desirable? - m_frame = 0; + + // This is required, as our Frame might delete itself as soon as it detaches + // us. However, this violates Node::detach() symantics, as it's never + // possible to re-attach. Eventually Document::detach() should be renamed + // or this call made explicit in each of the callers of Document::detach(). + clearFramePointer(); if (m_renderArena) { delete m_renderArena; @@ -1295,6 +1297,11 @@ void Document::detach() } } +void Document::clearFramePointer() +{ + m_frame = 0; +} + void Document::removeAllEventListenersFromAllNodes() { m_windowEventListeners.clear(); Index: webkit-1.0.1/WebCore/dom/Document.h =================================================================== --- webkit-1.0.1.orig/WebCore/dom/Document.h +++ webkit-1.0.1/WebCore/dom/Document.h @@ -377,6 +377,8 @@ public: virtual void attach(); virtual void detach(); + void clearFramePointer(); + RenderArena* renderArena() { return m_renderArena; } void clearAXObjectCache(); Index: webkit-1.0.1/WebCore/loader/DocLoader.cpp =================================================================== --- webkit-1.0.1.orig/WebCore/loader/DocLoader.cpp +++ webkit-1.0.1/WebCore/loader/DocLoader.cpp @@ -42,10 +42,9 @@ namespace WebCore { -DocLoader::DocLoader(Frame *frame, Document* doc) +DocLoader::DocLoader(Document* doc) : m_cache(cache()) , m_cachePolicy(CachePolicyVerify) - , m_frame(frame) , m_doc(doc) , m_requestCount(0) , m_autoLoadImages(true) @@ -64,6 +63,11 @@ DocLoader::~DocLoader() m_cache->removeDocLoader(this); } +Frame* DocLoader::frame() const +{ + return m_doc->frame(); +} + void DocLoader::checkForReload(const KURL& fullURL) { if (m_allowStaleResources) @@ -147,8 +151,8 @@ CachedResource* DocLoader::requestResour m_docResources.remove(it); } } - - if (m_frame && m_frame->loader()->isReloading()) + + if (frame() && frame()->loader()->isReloading()) setCachePolicy(CachePolicyReload); checkForReload(fullURL); @@ -196,14 +200,14 @@ void DocLoader::removeCachedResource(Cac void DocLoader::setLoadInProgress(bool load) { m_loadInProgress = load; - if (!load && m_frame) - m_frame->loader()->loadDone(); + if (!load && frame()) + frame()->loader()->loadDone(); } void DocLoader::checkCacheObjectStatus(CachedResource* resource) { // Return from the function for objects that we didn't load from the cache or if we don't have a frame. - if (!resource || !m_frame) + if (!resource || !frame()) return; switch (resource->status()) { @@ -217,7 +221,7 @@ void DocLoader::checkCacheObjectStatus(C } // FIXME: If the WebKit client changes or cancels the request, WebCore does not respect this and continues the load. - m_frame->loader()->loadedResourceFromMemoryCache(resource); + frame()->loader()->loadedResourceFromMemoryCache(resource); } void DocLoader::incrementRequestCount() Index: webkit-1.0.1/WebCore/loader/DocLoader.h =================================================================== --- webkit-1.0.1.orig/WebCore/loader/DocLoader.h +++ webkit-1.0.1/WebCore/loader/DocLoader.h @@ -51,7 +51,7 @@ friend class Cache; friend class HTMLImageLoader; public: - DocLoader(Frame*, Document*); + DocLoader(Document*); ~DocLoader(); CachedImage* requestImage(const String& url); @@ -76,7 +76,7 @@ public: CachePolicy cachePolicy() const { return m_cachePolicy; } void setCachePolicy(CachePolicy); - Frame* frame() const { return m_frame; } + Frame* frame() const; // Can be NULL Document* doc() const { return m_doc; } void removeCachedResource(CachedResource*) const; @@ -108,8 +108,7 @@ private: HashSet<String> m_reloadedURLs; mutable HashMap<String, CachedResource*> m_docResources; CachePolicy m_cachePolicy; - Frame* m_frame; - Document *m_doc; + Document* m_doc; int m_requestCount;
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor