delta/qt5/qtwebkit.git - code.qt.io: qt/qtwebkit.git

diff options

author	Allan Sandfeld Jensen <allan.jensen@digia.com>	2013-01-23 12:06:02 +0100
committer	The Qt Project <gerrit-noreply@qt-project.org>	2013-01-23 18:59:15 +0100
commit	9a0c51e753db9e4164df97801f132237e62387de (patch)
tree	d71db78a027e28e1ac8ac5c1cb46c6cd20bb05ff /Source/JavaScriptCore/runtime/JSObject.cpp
parent	cc73ba23ef1f3b28be84e7e5228298418a453b20 (diff)
download	qtwebkit-9a0c51e753db9e4164df97801f132237e62387de.tar.gz

Heap-use-after-free in DocumentLoader::stopLoading

https://bugs.webkit.org/show_bug.cgi?id=103656 Reviewed by Eric Seidel. Source/WebCore: Test: fast/dom/ready-state-change-crash.html * html/parser/HTMLDocumentParser.cpp: (WebCore::HTMLDocumentParser::prepareToStopParsing): Bail out if the parser is detached due to mutation event. * loader/DocumentLoader.cpp: (WebCore::DocumentLoader::stopLoading): Move the protectors for frame and document loader to the start of the function. Call to m_frame->loader()->stopLoading() can change document ready state and fire mutation event which might blow the document loader from underneath. Change-Id: Ib51a1eb062e552eb0cfa7e4ac647e59a4c6b433d Reviewed-by: Simon Hausmann <simon.hausmann@digia.com>

Diffstat (limited to 'Source/JavaScriptCore/runtime/JSObject.cpp')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: