[webkit-changes] [123539] branches/chromium/1180

[simonjam]

Title: [123539] branches/chromium/1180

Revision

123539

Author

simon...@chromium.org

Date

2012-07-24 15:22:19 -0700 (Tue, 24 Jul 2012)

Log Message

Merge 123121 - Regression(120096): Protect the element used by ImageLoader until the end of notifyFinished().
https://bugs.webkit.org/show_bug.cgi?id=90471

Reviewed by Brady Eidson.

Source/WebCore:

Test: http/tests/security/video-poster-cross-origin-crash.html

* html/HTMLImageLoader.cpp:
(WebCore::HTMLImageLoader::notifyFinished): Hang on to the element until we're done.
* loader/ImageLoader.cpp:
(WebCore::ImageLoader::setImage): No behavior change.
(WebCore):
(WebCore::ImageLoader::setImageWithoutConsideringPendingLoadEvent): Split off from old setImage, minus calling updatedHasPendingLoadEvent().
(WebCore::ImageLoader::notifyFinished): Invoke updatedHasPendingLoadEvent when done with cross origin errors.
* loader/ImageLoader.h:
(ImageLoader):

LayoutTests:

* http/tests/security/video-poster-cross-origin-crash-expected.txt: Added.
* http/tests/security/video-poster-cross-origin-crash.html: Added. From fuzzer.

TBR=simon...@chromium.org

Modified Paths

• branches/chromium/1180/Source/WebCore/html/HTMLImageLoader.cpp
• branches/chromium/1180/Source/WebCore/loader/ImageLoader.cpp
• branches/chromium/1180/Source/WebCore/loader/ImageLoader.h

Added Paths

• branches/chromium/1180/LayoutTests/http/tests/security/video-poster-cross-origin-crash-expected.txt
• branches/chromium/1180/LayoutTests/http/tests/security/video-poster-cross-origin-crash.html

Diff

Copied: branches/chromium/1180/LayoutTests/http/tests/security/video-poster-cross-origin-crash-expected.txt (from rev 123121, trunk/LayoutTests/http/tests/security/video-poster-cross-origin-crash-expected.txt) (0 => 123539)

--- branches/chromium/1180/LayoutTests/http/tests/security/video-poster-cross-origin-crash-expected.txt	                        (rev 0)
+++ branches/chromium/1180/LayoutTests/http/tests/security/video-poster-cross-origin-crash-expected.txt	2012-07-24 22:22:19 UTC (rev 123539)
@@ -0,0 +1,3 @@
+CONSOLE MESSAGE: Cross-origin image load denied by Cross-Origin Resource Sharing policy.
+CONSOLE MESSAGE: Cross-origin image load denied by Cross-Origin Resource Sharing policy.
+>>>

Copied: branches/chromium/1180/LayoutTests/http/tests/security/video-poster-cross-origin-crash.html (from rev 123121, trunk/LayoutTests/http/tests/security/video-poster-cross-origin-crash.html) (0 => 123539)

--- branches/chromium/1180/LayoutTests/http/tests/security/video-poster-cross-origin-crash.html	                        (rev 0)
+++ branches/chromium/1180/LayoutTests/http/tests/security/video-poster-cross-origin-crash.html	2012-07-24 22:22:19 UTC (rev 123539)
@@ -0,0 +1,23 @@
+<sub id=tCF1></sub>>>><button hidden=false id=tCF7>><video crossorigin="" poster="http://localhost:8080/misc/resources/compass.jpg">><style>
+.c29:nth-child(1814762996n + 9999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999) { -webkit-locale: "zh_CN";</style><script>
+if (window.testRunner) {
+    testRunner.dumpAsText();
+    testRunner.waitUntilDone();
+}
+docElement = document.body ? document.body : document.documentElement;
+function initCF() {
+try { tCF44 = document.createElementNS("http://www.w3.org/1999/xhtml", "multicol"); } catch(e) {}
+try { tCF44.setAttribute("class", "c29"); } catch(e) {}
+try { docElement.appendChild(tCF44); } catch(e) {}
+setTimeout("CFcrash()", 400);
+}
+window._onload_ = initCF;
+function editFuzz() {
+}
+function CFcrash() {
+try { if (tCF1 != docElement) tCF1.parentNode.removeChild(tCF1); } catch(e) {}
+window.scrollBy(-484, -400);
+try { tCF7.innerText = tCF44.textContent; } catch(e) {}
+if (window.testRunner)
+    testRunner.notifyDone();
+}</script>

Modified: branches/chromium/1180/Source/WebCore/html/HTMLImageLoader.cpp (123538 => 123539)

--- branches/chromium/1180/Source/WebCore/html/HTMLImageLoader.cpp	2012-07-24 22:20:10 UTC (rev 123538)
+++ branches/chromium/1180/Source/WebCore/html/HTMLImageLoader.cpp	2012-07-24 22:22:19 UTC (rev 123539)
@@ -74,7 +74,7 @@
 {
     CachedImage* cachedImage = image();
 
-    Element* elem = element();
+    RefPtr<Element> elem = element();
     ImageLoader::notifyFinished(cachedImage);
 
     bool loadError = cachedImage->errorOccurred() || cachedImage->response().httpStatusCode() >= 400;
@@ -89,7 +89,7 @@
 #endif
 
     if (loadError && elem->hasTagName(HTMLNames::objectTag))
-        static_cast<HTMLObjectElement*>(elem)->renderFallbackContent();
+        static_cast<HTMLObjectElement*>(elem.get())->renderFallbackContent();
 }
 
 }

Modified: branches/chromium/1180/Source/WebCore/loader/ImageLoader.cpp (123538 => 123539)

--- branches/chromium/1180/Source/WebCore/loader/ImageLoader.cpp	2012-07-24 22:20:10 UTC (rev 123538)
+++ branches/chromium/1180/Source/WebCore/loader/ImageLoader.cpp	2012-07-24 22:22:19 UTC (rev 123539)
@@ -118,6 +118,15 @@
 
 void ImageLoader::setImage(CachedImage* newImage)
 {
+    setImageWithoutConsideringPendingLoadEvent(newImage);
+
+    // Only consider updating the protection ref-count of the Element immediately before returning
+    // from this function as doing so might result in the destruction of this ImageLoader.
+    updatedHasPendingLoadEvent();
+}
+
+void ImageLoader::setImageWithoutConsideringPendingLoadEvent(CachedImage* newImage)
+{
     ASSERT(m_failedLoadURL.isEmpty());
     CachedImage* oldImage = m_image.get();
     if (newImage != oldImage) {
@@ -143,10 +152,6 @@
 
     if (RenderImageResource* imageResource = renderImageResource())
         imageResource->resetAnimation();
-
-    // Only consider updating the protection ref-count of the Element immediately before returning
-    // from this function as doing so might result in the destruction of this ImageLoader.
-    updatedHasPendingLoadEvent();
 }
 
 void ImageLoader::updateFromElement()
@@ -257,7 +262,7 @@
         && !m_element->document()->securityOrigin()->canRequest(image()->response().url())
         && !resource->passesAccessControlCheck(m_element->document()->securityOrigin())) {
 
-        setImage(0);
+        setImageWithoutConsideringPendingLoadEvent(0);
 
         m_hasPendingErrorEvent = true;
         errorEventSender().dispatchEventSoon(this);
@@ -266,6 +271,10 @@
         m_element->document()->addConsoleMessage(JSMessageSource, LogMessageType, ErrorMessageLevel, consoleMessage);
 
         ASSERT(!m_hasPendingLoadEvent);
+
+        // Only consider updating the protection ref-count of the Element immediately before returning
+        // from this function as doing so might result in the destruction of this ImageLoader.
+        updatedHasPendingLoadEvent();
         return;
     }
 

Modified: branches/chromium/1180/Source/WebCore/loader/ImageLoader.h (123538 => 123539)

--- branches/chromium/1180/Source/WebCore/loader/ImageLoader.h	2012-07-24 22:20:10 UTC (rev 123538)
+++ branches/chromium/1180/Source/WebCore/loader/ImageLoader.h	2012-07-24 22:22:19 UTC (rev 123539)
@@ -84,6 +84,8 @@
     RenderImageResource* renderImageResource();
     void updateRenderer();
 
+    void setImageWithoutConsideringPendingLoadEvent(CachedImage*);
+
     Element* m_element;
     CachedResourceHandle<CachedImage> m_image;
     AtomicString m_failedLoadURL;

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo/webkit-changes