Title: [258397] releases/WebKitGTK/webkit-2.26/Source/WebCore
- Revision
- 258397
- Author
- ape...@igalia.com
- Date
- 2020-03-13 07:51:47 -0700 (Fri, 13 Mar 2020)
Log Message
Merge r257292 - PS-2019-006: [GTK] WebKit - AXObjectCache - m_deferredFocusedNodeChange - UaF
https://bugs.webkit.org/show_bug.cgi?id=204342
Reviewed by Carlos Garcia Campos.
m_deferredFocusedNodeChange keeps pairs of a old node and a new one
to update a focused node later. When a node is removed in the document,
it is also removed from the pair vector. The problem is only comparing
the new node in each pair with a removed node decides the removal.
In the case where the removed node lives in m_deferredFocusedNodeChange
as an old node, a crash happens while we get a renderer of the removed node
to handle focused elements. To fix this, we find all entries of which old node
is matched to the removed node, and set their first value null.
No new tests since no functionality changed.
* accessibility/AXObjectCache.cpp:
(WebCore::AXObjectCache::remove):
Modified Paths
Diff
Modified: releases/WebKitGTK/webkit-2.26/Source/WebCore/ChangeLog (258396 => 258397)
--- releases/WebKitGTK/webkit-2.26/Source/WebCore/ChangeLog 2020-03-13 14:51:42 UTC (rev 258396)
+++ releases/WebKitGTK/webkit-2.26/Source/WebCore/ChangeLog 2020-03-13 14:51:47 UTC (rev 258397)
@@ -1,3 +1,24 @@
+2020-02-24 ChangSeok Oh <changs...@webkit.org>
+
+ PS-2019-006: [GTK] WebKit - AXObjectCache - m_deferredFocusedNodeChange - UaF
+ https://bugs.webkit.org/show_bug.cgi?id=204342
+
+ Reviewed by Carlos Garcia Campos.
+
+ m_deferredFocusedNodeChange keeps pairs of a old node and a new one
+ to update a focused node later. When a node is removed in the document,
+ it is also removed from the pair vector. The problem is only comparing
+ the new node in each pair with a removed node decides the removal.
+ In the case where the removed node lives in m_deferredFocusedNodeChange
+ as an old node, a crash happens while we get a renderer of the removed node
+ to handle focused elements. To fix this, we find all entries of which old node
+ is matched to the removed node, and set their first value null.
+
+ No new tests since no functionality changed.
+
+ * accessibility/AXObjectCache.cpp:
+ (WebCore::AXObjectCache::remove):
+
2020-01-16 Tomoki Imai <tomoki.i...@sony.com>
Do not detect the stopped animations in Nicosia::Animation to avoid flashback
Modified: releases/WebKitGTK/webkit-2.26/Source/WebCore/accessibility/AXObjectCache.cpp (258396 => 258397)
--- releases/WebKitGTK/webkit-2.26/Source/WebCore/accessibility/AXObjectCache.cpp 2020-03-13 14:51:42 UTC (rev 258396)
+++ releases/WebKitGTK/webkit-2.26/Source/WebCore/accessibility/AXObjectCache.cpp 2020-03-13 14:51:47 UTC (rev 258397)
@@ -758,6 +758,12 @@
m_deferredFocusedNodeChange.removeAllMatching([&node](auto& entry) -> bool {
return entry.second == &node;
});
+ // Set nullptr to the old focused node if it is being removed.
+ std::for_each(m_deferredFocusedNodeChange.begin(), m_deferredFocusedNodeChange.end(), [&node](auto& entry) {
+ if (entry.first == &node)
+ entry.first = nullptr;
+ });
+
removeNodeForUse(node);
remove(m_nodeObjectMapping.take(&node));
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes