diff options
| author | Xianzhu Wang <wangxianzhu@chromium.org> | 2013-02-06 18:29:24 +0100 |
|---|---|---|
| committer | The Qt Project <gerrit-noreply@qt-project.org> | 2013-02-07 19:21:31 +0100 |
| commit | 9c8d87d26c8b572af44b95c13838b8b838c4dfa9 (patch) | |
| tree | 83601ee274cdd06fc7c321d72a25bcff0930bfa8 | |
| parent | e08d860b281521970867f9f8d0b1c5541cbc5717 (diff) | |
| download | qtwebkit-9c8d87d26c8b572af44b95c13838b8b838c4dfa9.tar.gz | |
Regression(r129944): Heap-use-after-free in WebCore::computeNonFastScrollableRegion
https://bugs.webkit.org/show_bug.cgi?id=99515
Reviewed by Simon Fraser.
The object used-after-freed is a destructed FrameView that is still in the m_scrollableAreas set of the parent FrameView. Actually it has been removed from m_scrollableAreas when setParent(0), but then is added back in updateScrollableAreaSet() because its frameViewParent() is still not 0 (though parent() is already 0).
No new tests. The heap-use-after-free doesn't always cause crash so it can't be stably tested with a test case. Memory analysis tools like asan discovered the heap-use-after-free and verified that the patch can fix the issue.
* page/FrameView.cpp:
(WebCore::FrameView::parentFrameView): Checks if the FrameView has been removed from the parent.
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@138850 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Change-Id: I545d8815badad8d72781751e877f933ca8d31365
Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
| -rw-r--r-- | Source/WebCore/ChangeLog | 14 | ||||
| -rw-r--r-- | Source/WebCore/page/FrameView.cpp | 3 |
2 files changed, 17 insertions, 0 deletions
diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog index cb9bcd6a9..6e3cec05e 100644 --- a/Source/WebCore/ChangeLog +++ b/Source/WebCore/ChangeLog @@ -201,6 +201,20 @@ * rendering/RenderObject.cpp: (WebCore::RenderObject::destroyAndCleanupAnonymousWrappers): +2013-01-10 Xianzhu Wang <wangxianzhu@chromium.org> + + Regression(r129944): Heap-use-after-free in WebCore::computeNonFastScrollableRegion + https://bugs.webkit.org/show_bug.cgi?id=99515 + + Reviewed by Simon Fraser. + + The object used-after-freed is a destructed FrameView that is still in the m_scrollableAreas set of the parent FrameView. Actually it has been removed from m_scrollableAreas when setParent(0), but then is added back in updateScrollableAreaSet() because its frameViewParent() is still not 0 (though parent() is already 0). + + No new tests. The heap-use-after-free doesn't always cause crash so it can't be stably tested with a test case. Memory analysis tools like asan discovered the heap-use-after-free and verified that the patch can fix the issue. + + * page/FrameView.cpp: + (WebCore::FrameView::parentFrameView): Checks if the FrameView has been removed from the parent. + 2012-12-12 Allan Sandfeld Jensen <allan.jensen@digia.com> [Qt] Animation fails on large layers diff --git a/Source/WebCore/page/FrameView.cpp b/Source/WebCore/page/FrameView.cpp index dcdae213e..083b83ad5 100644 --- a/Source/WebCore/page/FrameView.cpp +++ b/Source/WebCore/page/FrameView.cpp @@ -3074,6 +3074,9 @@ bool FrameView::hasCustomScrollbars() const FrameView* FrameView::parentFrameView() const { + if (!parent()) + return 0; + if (Frame* parentFrame = m_frame->tree()->parent()) return parentFrame->view(); |