webkit-2.14

carlosgc Tue, 11 Oct 2016 06:50:00 -0700

Title: [207130] releases/WebKitGTK/webkit-2.14

Revision: 207130
Author: [email protected]
Date: 2016-10-11 06:50:31 -0700 (Tue, 11 Oct 2016)

Log Message

Avoid null dereference when changing focus in design mode.
https://bugs.webkit.org/show_bug.cgi?id=162877
<rdar://problem/28061261>


Reviewed by Chris Dumez.

Source/WebCore:

The bare m_frame pointer in DOMWindow can be cleared when setting focus to a new element. Check
that the m_frame pointer is non-null before using it after calling a routine that could
clear the pointer value.

Test: fast/frames/iframe-focus-crash.html

* page/DOMWindow.cpp:
(WebCore::DOMWindow::focus): Check that the pointer is still non-null after setting the
current focused element to nullptr.

LayoutTests:

* fast/frames/iframe-focus-crash-expected.txt: Added.
* fast/frames/iframe-focus-crash.html: Added.
* fast/frames/resources/iframe-focus-crash.html: Added.

Modified Paths

releases/WebKitGTK/webkit-2.14/LayoutTests/ChangeLog
releases/WebKitGTK/webkit-2.14/Source/WebCore/ChangeLog
releases/WebKitGTK/webkit-2.14/Source/WebCore/page/DOMWindow.cpp

Added Paths

releases/WebKitGTK/webkit-2.14/LayoutTests/fast/frames/iframe-focus-crash-expected.txt
releases/WebKitGTK/webkit-2.14/LayoutTests/fast/frames/iframe-focus-crash.html
releases/WebKitGTK/webkit-2.14/LayoutTests/fast/frames/resources/iframe-focus-crash.html

Diff

Modified: releases/WebKitGTK/webkit-2.14/LayoutTests/ChangeLog (207129 => 207130)


--- releases/WebKitGTK/webkit-2.14/LayoutTests/ChangeLog	2016-10-11 13:46:41 UTC (rev 207129)
+++ releases/WebKitGTK/webkit-2.14/LayoutTests/ChangeLog	2016-10-11 13:50:31 UTC (rev 207130)
@@ -1,3 +1,15 @@
+2016-10-03  Brent Fulgham  <[email protected]>
+
+        Avoid null dereference when changing focus in design mode.
+        https://bugs.webkit.org/show_bug.cgi?id=162877
+        <rdar://problem/28061261>
+
+        Reviewed by Chris Dumez.
+
+        * fast/frames/iframe-focus-crash-expected.txt: Added.
+        * fast/frames/iframe-focus-crash.html: Added.
+        * fast/frames/resources/iframe-focus-crash.html: Added.
+
 2016-10-01  Simon Fraser  <[email protected]>
 
         Bad cast when CSS position programmatically changed from -webkit-sticky to fixed

Added: releases/WebKitGTK/webkit-2.14/LayoutTests/fast/frames/iframe-focus-crash-expected.txt (0 => 207130)


--- releases/WebKitGTK/webkit-2.14/LayoutTests/fast/frames/iframe-focus-crash-expected.txt	                        (rev 0)
+++ releases/WebKitGTK/webkit-2.14/LayoutTests/fast/frames/iframe-focus-crash-expected.txt	2016-10-11 13:50:31 UTC (rev 207130)
@@ -0,0 +1,2 @@
+This tests that setting focus to a removed frame does not cause a crash. The test passes if it does not crash.
+

Added: releases/WebKitGTK/webkit-2.14/LayoutTests/fast/frames/iframe-focus-crash.html (0 => 207130)


--- releases/WebKitGTK/webkit-2.14/LayoutTests/fast/frames/iframe-focus-crash.html	                        (rev 0)
+++ releases/WebKitGTK/webkit-2.14/LayoutTests/fast/frames/iframe-focus-crash.html	2016-10-11 13:50:31 UTC (rev 207130)
@@ -0,0 +1,12 @@
+<html>
+    <head>
+        <script>
+        if (window.testRunner)
+            testRunner.dumpAsText(true);
+        </script>
+    </head>
+    <body>
+        <div>This tests that setting focus to a removed frame does not cause a crash. The test passes if it does not crash.</div>
+        <iframe src=''></iframe>
+    </body>
+</html>
\ No newline at end of file

Added: releases/WebKitGTK/webkit-2.14/LayoutTests/fast/frames/resources/iframe-focus-crash.html (0 => 207130)


--- releases/WebKitGTK/webkit-2.14/LayoutTests/fast/frames/resources/iframe-focus-crash.html	                        (rev 0)
+++ releases/WebKitGTK/webkit-2.14/LayoutTests/fast/frames/resources/iframe-focus-crash.html	2016-10-11 13:50:31 UTC (rev 207130)
@@ -0,0 +1,15 @@
+<html>
+    <body _onload_='runTest()'> 
+        <script>
+        function runTest() {
+            document.designMode='on';
+            window.parent.setTimeout(function() { 
+                window.focus();
+            }, 0);
+            window.focus();
+        }
+        </script>
+        <iframe src=''></iframe>
+        <html _onfocusout_="window.document.writeln();"></html>
+    </body>
+</html>

Modified: releases/WebKitGTK/webkit-2.14/Source/WebCore/ChangeLog (207129 => 207130)


--- releases/WebKitGTK/webkit-2.14/Source/WebCore/ChangeLog	2016-10-11 13:46:41 UTC (rev 207129)
+++ releases/WebKitGTK/webkit-2.14/Source/WebCore/ChangeLog	2016-10-11 13:50:31 UTC (rev 207130)
@@ -1,3 +1,21 @@
+2016-10-03  Brent Fulgham  <[email protected]>
+
+        Avoid null dereference when changing focus in design mode.
+        https://bugs.webkit.org/show_bug.cgi?id=162877
+        <rdar://problem/28061261>
+
+        Reviewed by Chris Dumez.
+
+        The bare m_frame pointer in DOMWindow can be cleared when setting focus to a new element. Check
+        that the m_frame pointer is non-null before using it after calling a routine that could
+        clear the pointer value.
+
+        Test: fast/frames/iframe-focus-crash.html
+
+        * page/DOMWindow.cpp:
+        (WebCore::DOMWindow::focus): Check that the pointer is still non-null after setting the
+        current focused element to nullptr.
+
 2016-10-03  Carlos Garcia Campos  <[email protected]>
 
         Unreviewed. Fix the build with coordinated graphics enabled after r206712.

Modified: releases/WebKitGTK/webkit-2.14/Source/WebCore/page/DOMWindow.cpp (207129 => 207130)


--- releases/WebKitGTK/webkit-2.14/Source/WebCore/page/DOMWindow.cpp	2016-10-11 13:46:41 UTC (rev 207129)
+++ releases/WebKitGTK/webkit-2.14/Source/WebCore/page/DOMWindow.cpp	2016-10-11 13:50:31 UTC (rev 207130)
@@ -1005,7 +1005,9 @@
     if (focusedFrame && focusedFrame != m_frame)
         focusedFrame->document()->setFocusedElement(nullptr);
 
-    m_frame->eventHandler().focusDocumentView();
+    // setFocusedElement may clear m_frame, so recheck before using it.
+    if (m_frame)
+        m_frame->eventHandler().focusDocumentView();
 }
 
 void DOMWindow::blur()

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

[webkit-changes] [207130] releases/WebKitGTK/webkit-2.14

Log Message

Modified Paths

Added Paths

Diff

Modified: releases/WebKitGTK/webkit-2.14/LayoutTests/ChangeLog (207129 => 207130)

Added: releases/WebKitGTK/webkit-2.14/LayoutTests/fast/frames/iframe-focus-crash-expected.txt (0 => 207130)

Added: releases/WebKitGTK/webkit-2.14/LayoutTests/fast/frames/iframe-focus-crash.html (0 => 207130)

Added: releases/WebKitGTK/webkit-2.14/LayoutTests/fast/frames/resources/iframe-focus-crash.html (0 => 207130)

Modified: releases/WebKitGTK/webkit-2.14/Source/WebCore/ChangeLog (207129 => 207130)

Modified: releases/WebKitGTK/webkit-2.14/Source/WebCore/page/DOMWindow.cpp (207129 => 207130)

Reply via email to