[webkit-changes] [WebKit/WebKit] 0675bb: Cherry-pick 252432.838 at safari-7614-branch (6651709...
Arunsundar Kannan
noreply at github.com
Tue Jan 24 17:17:40 PST 2023
Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 0675bbf6a5db80a0dbf04ae7a7485a09b056d032
https://github.com/WebKit/WebKit/commit/0675bbf6a5db80a0dbf04ae7a7485a09b056d032
Author: Arunsundar Kannan <arunsundar_kannan at apple.com>
Date: 2023-01-24 (Tue, 24 Jan 2023)
Changed paths:
A LayoutTests/fast/forms/textfield-input-type-crash-onblur-expected.txt
A LayoutTests/fast/forms/textfield-input-type-crash-onblur.html
M Source/WebCore/html/HTMLInputElement.cpp
M Source/WebCore/html/HTMLOptionElement.cpp
M Source/WebCore/html/TextFieldInputType.cpp
Log Message:
-----------
Cherry-pick 252432.838 at safari-7614-branch (665170902bfa). rdar://104601528
UAF crash occurs during a style update when an older freed HTMLElement is accessed
https://bugs.webkit.org/show_bug.cgi?id=247389
rdar://101420898
Reviewed by Ryosuke Niwa and Ryan Haddad.
* LayoutTests/fast/forms/textfield-input-type-crash-onblur-expected.txt: Added.
* LayoutTests/fast/forms/textfield-input-type-crash-onblur.html: Added.
* Source/WebCore/html/HTMLInputElement.cpp:
(WebCore::HTMLInputElement::dataListMayHaveChanged):
* Source/WebCore/html/HTMLOptionElement.cpp:
(WebCore::HTMLOptionElement::childrenChanged):
* Source/WebCore/html/TextFieldInputType.cpp:
(WebCore::TextFieldInputType::createDataListDropdownIndicator):
(WebCore::TextFieldInputType::dataListMayHaveChanged):
Canonical link: https://commits.webkit.org/252432.838@safari-7614-branch
Canonical link: https://commits.webkit.org/259321@main
More information about the webkit-changes
mailing list