[webkit-changes] [258397] releases/WebKitGTK/webkit-2.26/Source/WebCore

Fri, 13 Mar 2020 07:53:02 -0700

Title: [258397] releases/WebKitGTK/webkit-2.26/Source/WebCore
Revision
258397
Author
ape...@igalia.com
Date
2020-03-13 07:51:47 -0700 (Fri, 13 Mar 2020)

Log Message

Merge r257292 - PS-2019-006: [GTK] WebKit - AXObjectCache - m_deferredFocusedNodeChange - UaF
https://bugs.webkit.org/show_bug.cgi?id=204342

Reviewed by Carlos Garcia Campos.

m_deferredFocusedNodeChange keeps pairs of a old node and a new one
to update a focused node later. When a node is removed in the document,
it is also removed from the pair vector. The problem is only comparing
the new node in each pair with a removed node decides the removal.
In the case where the removed node lives in m_deferredFocusedNodeChange
as an old node, a crash happens while we get a renderer of the removed node
to handle focused elements. To fix this, we find all entries of which old node
is matched to the removed node, and set their first value null.

No new tests since no functionality changed.

* accessibility/AXObjectCache.cpp:
(WebCore::AXObjectCache::remove):

Modified Paths

Diff

Modified: releases/WebKitGTK/webkit-2.26/Source/WebCore/ChangeLog (258396 => 258397)


--- releases/WebKitGTK/webkit-2.26/Source/WebCore/ChangeLog	2020-03-13 14:51:42 UTC (rev 258396)
+++ releases/WebKitGTK/webkit-2.26/Source/WebCore/ChangeLog	2020-03-13 14:51:47 UTC (rev 258397)
@@ -1,3 +1,24 @@
+2020-02-24  ChangSeok Oh  <changs...@webkit.org>
+
+        PS-2019-006: [GTK] WebKit - AXObjectCache - m_deferredFocusedNodeChange - UaF
+        https://bugs.webkit.org/show_bug.cgi?id=204342
+
+        Reviewed by Carlos Garcia Campos.
+
+        m_deferredFocusedNodeChange keeps pairs of a old node and a new one
+        to update a focused node later. When a node is removed in the document,
+        it is also removed from the pair vector. The problem is only comparing
+        the new node in each pair with a removed node decides the removal.
+        In the case where the removed node lives in m_deferredFocusedNodeChange
+        as an old node, a crash happens while we get a renderer of the removed node
+        to handle focused elements. To fix this, we find all entries of which old node
+        is matched to the removed node, and set their first value null.
+
+        No new tests since no functionality changed.
+
+        * accessibility/AXObjectCache.cpp:
+        (WebCore::AXObjectCache::remove):
+
 2020-01-16  Tomoki Imai  <tomoki.i...@sony.com>
 
         Do not detect the stopped animations in Nicosia::Animation to avoid flashback

Modified: releases/WebKitGTK/webkit-2.26/Source/WebCore/accessibility/AXObjectCache.cpp (258396 => 258397)


--- releases/WebKitGTK/webkit-2.26/Source/WebCore/accessibility/AXObjectCache.cpp	2020-03-13 14:51:42 UTC (rev 258396)
+++ releases/WebKitGTK/webkit-2.26/Source/WebCore/accessibility/AXObjectCache.cpp	2020-03-13 14:51:47 UTC (rev 258397)
@@ -758,6 +758,12 @@
     m_deferredFocusedNodeChange.removeAllMatching([&node](auto& entry) -> bool {
         return entry.second == &node;
     });
+    // Set nullptr to the old focused node if it is being removed.
+    std::for_each(m_deferredFocusedNodeChange.begin(), m_deferredFocusedNodeChange.end(), [&node](auto& entry) {
+        if (entry.first == &node)
+            entry.first = nullptr;
+    });
+
     removeNodeForUse(node);
 
     remove(m_nodeObjectMapping.take(&node));

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to