Heap-use-after-free in WebCore::XMLDocumentParser::doEnd

https://bugs.webkit.org/show_bug.cgi?id=100152 Reviewed by Adam Barth. XMLDocumentParser can be blown away inside document()->styleResolverChanged() call. Protect it with a local RefPtr in Document::explitClose. No new tests. The site specific dependencies are hard to minimize. * dom/Document.cpp: (WebCore::Document::explicitClose): RefPtr m_parser into a local, since it can be detached and nulled out in DocumentWriter::end(). * xml/parser/XMLDocumentParser.cpp: (WebCore::XMLDocumentParser::end): Bail out when we are detached. * xml/parser/XMLDocumentParserLibxml2.cpp: (WebCore::XMLDocumentParser::doEnd): Bail out when we are detached. * xml/parser/XMLDocumentParserQt.cpp: (WebCore::XMLDocumentParser::doEnd): Bail out when we are detached. Change-Id: If7ff9142c561391e7c30632a9b8fb9cbb284fb2c Reviewed-by: Simon Hausmann <simon.hausmann@digia.com>
author: Allan Sandfeld Jensen <allan.jensen@digia.com> 2013-01-23 12:17:32 +0100
committer: The Qt Project <gerrit-noreply@qt-project.org> 2013-01-23 18:59:21 +0100
commit: c0a3b64d8e6f8eac5a8e65cdb337e24e112da2c3 (patch)
tree: 2241523e73cd66381c519dd083ef7caece6fe979
parent: 9a0c51e753db9e4164df97801f132237e62387de (diff)
download: qtwebkit-c0a3b64d8e6f8eac5a8e65cdb337e24e112da2c3.tar.gz
5 files changed, 41 insertions, 3 deletions
diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog
index 098afc0b0..556a5c049 100644
--- a/Source/WebCore/ChangeLog
+++ b/Source/WebCore/ChangeLog
@@ -1,3 +1,25 @@
+2013-01-04  Abhishek Arya  <inferno@chromium.org>
+
+        Heap-use-after-free in WebCore::XMLDocumentParser::doEnd
+        https://bugs.webkit.org/show_bug.cgi?id=100152
+
+        Reviewed by Adam Barth.
+
+        XMLDocumentParser can be blown away inside document()->styleResolverChanged()
+        call. Protect it with a local RefPtr in Document::explitClose.
+
+        No new tests. The site specific dependencies are hard to minimize.
+
+        * dom/Document.cpp:
+        (WebCore::Document::explicitClose): RefPtr m_parser into a local, since
+        it can be detached and nulled out in DocumentWriter::end().
+        * xml/parser/XMLDocumentParser.cpp:
+        (WebCore::XMLDocumentParser::end): Bail out when we are detached.
+        * xml/parser/XMLDocumentParserLibxml2.cpp:
+        (WebCore::XMLDocumentParser::doEnd): Bail out when we are detached.
+        * xml/parser/XMLDocumentParserQt.cpp:
+        (WebCore::XMLDocumentParser::doEnd): Bail out when we are detached.
+
 2013-01-06  Abhishek Arya  <inferno@chromium.org>
 
         Heap-use-after-free in DocumentLoader::stopLoading
diff --git a/Source/WebCore/dom/Document.cpp b/Source/WebCore/dom/Document.cpp
index 70e271c8c..c1c2b7b5d 100644
--- a/Source/WebCore/dom/Document.cpp
+++ b/Source/WebCore/dom/Document.cpp
@@ -2352,8 +2352,8 @@ void Document::close()
 
 void Document::explicitClose()
 {
-    if (m_parser)
-        m_parser->finish();
+    if (RefPtr<DocumentParser> parser = m_parser)
+        parser->finish();
 
     if (!m_frame) {
         // Because we have no frame, we don't know if all loading has completed,
diff --git a/Source/WebCore/xml/parser/XMLDocumentParser.cpp b/Source/WebCore/xml/parser/XMLDocumentParser.cpp
index 5aa0e0890..6b8a0abfb 100644
--- a/Source/WebCore/xml/parser/XMLDocumentParser.cpp
+++ b/Source/WebCore/xml/parser/XMLDocumentParser.cpp
@@ -194,6 +194,11 @@ void XMLDocumentParser::end()
 
     doEnd();
 
+    // doEnd() call above can detach the parser and null out its document.
+    // In that case, we just bail out.
+    if (isDetached())
+        return;
+
     // doEnd() could process a script tag, thus pausing parsing.
     if (m_parserPaused)
         return;
diff --git a/Source/WebCore/xml/parser/XMLDocumentParserLibxml2.cpp b/Source/WebCore/xml/parser/XMLDocumentParserLibxml2.cpp
index 7813ad308..173233a89 100644
--- a/Source/WebCore/xml/parser/XMLDocumentParserLibxml2.cpp
+++ b/Source/WebCore/xml/parser/XMLDocumentParserLibxml2.cpp
@@ -1338,8 +1338,13 @@ void XMLDocumentParser::doEnd()
 
         document()->setParsing(false); // Make the document think it's done, so it will apply XSL stylesheets.
         document()->styleResolverChanged(RecalcStyleImmediately);
-        document()->setParsing(true);
 
+        // styleResolverChanged() call can detach the parser and null out its document.
+        // In that case, we just bail out.
+        if (isDetached())
+            return;
+
+        document()->setParsing(true);
         DocumentParser::stopParsing();
     }
 #endif
diff --git a/Source/WebCore/xml/parser/XMLDocumentParserQt.cpp b/Source/WebCore/xml/parser/XMLDocumentParserQt.cpp
index 9473ab795..63189da29 100644
--- a/Source/WebCore/xml/parser/XMLDocumentParserQt.cpp
+++ b/Source/WebCore/xml/parser/XMLDocumentParserQt.cpp
@@ -204,6 +204,12 @@ void XMLDocumentParser::doEnd()
         document()->setTransformSource(adoptPtr(new TransformSource(m_originalSourceForTransform.toString())));
         document()->setParsing(false); // Make the doc think it's done, so it will apply xsl sheets.
         document()->styleResolverChanged(RecalcStyleImmediately);
+
+        // styleResolverChanged() call can detach the parser and null out its document.
+        // In that case, we just bail out.
+        if (isDetached())
+            return;
+
         document()->setParsing(true);
         DocumentParser::stopParsing();
     }
author	Allan Sandfeld Jensen <allan.jensen@digia.com>	2013-01-23 12:17:32 +0100
committer	The Qt Project <gerrit-noreply@qt-project.org>	2013-01-23 18:59:21 +0100
commit	c0a3b64d8e6f8eac5a8e65cdb337e24e112da2c3 (patch)
tree	2241523e73cd66381c519dd083ef7caece6fe979
parent	9a0c51e753db9e4164df97801f132237e62387de (diff)
download	qtwebkit-c0a3b64d8e6f8eac5a8e65cdb337e24e112da2c3.tar.gz