File webkitgtk-fix-use-after-free-regression.patch of Package webkitgtk3.5198

Overview Repositories Revisions Requests Users Attributes Meta

File webkitgtk-fix-use-after-free-regression.patch of Package webkitgtk3.5198

Index: webkitgtk-2.4.10/LayoutTests/fast/dom/uniquing-attributes-via-setAttribute-expected.txt
===================================================================
--- /dev/null	1970-01-01 00:00:00.000000000 +0000
+++ webkitgtk-2.4.10/LayoutTests/fast/dom/uniquing-attributes-via-setAttribute-expected.txt	2016-06-07 09:16:51.539517581 +0200
@@ -0,0 +1,3 @@
+Tests uniquing attributes via setAttribute. WebKit shouldn't crash under GuardMalloc or ASAN builds.
+
+PASS. WebKit didn't crash.
Index: webkitgtk-2.4.10/LayoutTests/fast/dom/uniquing-attributes-via-setAttribute.html
===================================================================
--- /dev/null	1970-01-01 00:00:00.000000000 +0000
+++ webkitgtk-2.4.10/LayoutTests/fast/dom/uniquing-attributes-via-setAttribute.html	2016-06-07 09:16:51.539517581 +0200
@@ -0,0 +1,24 @@
+<!DOCTYPE html>
+<html>
+<body>
+<p>Tests uniquing attributes via setAttribute. WebKit shouldn't crash under GuardMalloc or ASAN builds.</p>
+<div></div>
+<script>
+
+if (window.testRunner)
+    testRunner.dumpAsText();
+
+var div = document.querySelector('div');
+div.setAttribute('name', 'a');
+
+var divClone = div.cloneNode(true);
+document.body.appendChild(divClone);
+
+div.setAttribute('name', 'b');
+divClone.setAttribute('name', 'b');
+
+document.write("PASS. WebKit didn't crash.");
+
+</script>
+</body>
+</html>
Index: webkitgtk-2.4.10/Source/WebCore/dom/Element.cpp
===================================================================
--- webkitgtk-2.4.10.orig/Source/WebCore/dom/Element.cpp	2016-03-14 08:09:01.000000000 +0100
+++ webkitgtk-2.4.10/Source/WebCore/dom/Element.cpp	2016-06-07 09:16:51.539517581 +0200
@@ -1056,7 +1056,7 @@
     const Attribute& attribute = attributeAt(index);
     AtomicString oldValue = attribute.value();
     bool valueChanged = newValue != oldValue;
-    const QualifiedName& attributeName = (!inSynchronizationOfLazyAttribute || valueChanged) ? attribute.name() : name;
+    QualifiedName attributeName = (!inSynchronizationOfLazyAttribute || valueChanged) ? attribute.name() : name;
 
     if (!inSynchronizationOfLazyAttribute)
         willModifyAttribute(attributeName, oldValue, newValue);
Index: webkitgtk-2.4.10/Source/WebCore/ChangeLog
===================================================================
--- webkitgtk-2.4.10.orig/Source/WebCore/ChangeLog	2016-03-14 08:09:01.000000000 +0100
+++ webkitgtk-2.4.10/Source/WebCore/ChangeLog	2016-06-07 09:16:51.547517534 +0200
@@ -1,3 +1,17 @@
+2014-03-04  Ryosuke Niwa  <rniwa@webkit.org>
+
+        REGRESSION(r164856): Use after free in WebCore::QualifiedName::operator== / WebCore::StyledElement::attributeChanged
+        https://bugs.webkit.org/show_bug.cgi?id=129550
+
+        Reviewed by Andreas Kling.
+
+        We can't store a reference to QualifiedName here because ensureUniqueElementData could delete QualifiedName inside Attribute.
+
+        Test: fast/dom/uniquing-attributes-via-setAttribute.html
+
+        * dom/Element.cpp:
+        (WebCore::Element::setAttributeInternal):
+
 2014-06-06  Brady Eidson  <beidson@apple.com>
 
         Initialize a char* that needs to be initialized.

Places

File webkitgtk-fix-use-after-free-regression.patch of Package webkitgtk3.5198

Places