<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[200840] releases/WebKitGTK/webkit-2.12/Source/WebCore</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/200840">200840</a></dd>
<dt>Author</dt> <dd>carlosgc@webkit.org</dd>
<dt>Date</dt> <dd>2016-05-13 04:38:40 -0700 (Fri, 13 May 2016)</dd>
</dl>
<h3>Log Message</h3>
<pre>Merge <a href="http://trac.webkit.org/projects/webkit/changeset/200091">r200091</a> - GuardMalloc crash in WebCore::HTMLFrameElementBase::marginHeight()
https://bugs.webkit.org/show_bug.cgi?id=157020
<rdar://problem/25148315>
Reviewed by Darin Adler.
Calls to setIntegralAttribute triggers event handling code, which can cause
the underlying m_frameOwnerElement member to be deleted. We could clone this
object, but since we only want the width and height we should just read them
while we know the object is in a good state, then execute the potentially
mutating methods.
Tested by imported/blink/fast/dom/HTMLBodyElement/body-inserting-iframe-crash.html.
* html/HTMLBodyElement.cpp:
(WebCore::HTMLBodyElement::insertedInto): Read margin width and height before
calling setIntegralAttribute.</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#releasesWebKitGTKwebkit212SourceWebCoreChangeLog">releases/WebKitGTK/webkit-2.12/Source/WebCore/ChangeLog</a></li>
<li><a href="#releasesWebKitGTKwebkit212SourceWebCorehtmlHTMLBodyElementcpp">releases/WebKitGTK/webkit-2.12/Source/WebCore/html/HTMLBodyElement.cpp</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="releasesWebKitGTKwebkit212SourceWebCoreChangeLog"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.12/Source/WebCore/ChangeLog (200839 => 200840)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/Source/WebCore/ChangeLog 2016-05-13 11:36:41 UTC (rev 200839)
+++ releases/WebKitGTK/webkit-2.12/Source/WebCore/ChangeLog 2016-05-13 11:38:40 UTC (rev 200840)
</span><span class="lines">@@ -1,3 +1,23 @@
</span><ins>+2016-04-26 Brent Fulgham <bfulgham@apple.com>
+
+ GuardMalloc crash in WebCore::HTMLFrameElementBase::marginHeight()
+ https://bugs.webkit.org/show_bug.cgi?id=157020
+ <rdar://problem/25148315>
+
+ Reviewed by Darin Adler.
+
+ Calls to setIntegralAttribute triggers event handling code, which can cause
+ the underlying m_frameOwnerElement member to be deleted. We could clone this
+ object, but since we only want the width and height we should just read them
+ while we know the object is in a good state, then execute the potentially
+ mutating methods.
+
+ Tested by imported/blink/fast/dom/HTMLBodyElement/body-inserting-iframe-crash.html.
+
+ * html/HTMLBodyElement.cpp:
+ (WebCore::HTMLBodyElement::insertedInto): Read margin width and height before
+ calling setIntegralAttribute.
+
</ins><span class="cx"> 2016-04-25 Brent Fulgham <bfulgham@apple.com>
</span><span class="cx">
</span><span class="cx"> Add port 4190 (managesieve) to port blacklist
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit212SourceWebCorehtmlHTMLBodyElementcpp"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.12/Source/WebCore/html/HTMLBodyElement.cpp (200839 => 200840)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/Source/WebCore/html/HTMLBodyElement.cpp 2016-05-13 11:36:41 UTC (rev 200839)
+++ releases/WebKitGTK/webkit-2.12/Source/WebCore/html/HTMLBodyElement.cpp 2016-05-13 11:38:40 UTC (rev 200840)
</span><span class="lines">@@ -193,17 +193,22 @@
</span><span class="cx"> // FIXME: It's surprising this is web compatible since it means a marginwidth and marginheight attribute can
</span><span class="cx"> // magically appear on the <body> of all documents embedded through <iframe> or <frame>.
</span><span class="cx"> // FIXME: Perhaps this code should be in attach() instead of here.
</span><del>- HTMLFrameOwnerElement* ownerElement = document().ownerElement();
- if (is<HTMLFrameElementBase>(ownerElement)) {
- HTMLFrameElementBase& ownerFrameElement = downcast<HTMLFrameElementBase>(*ownerElement);
- int marginWidth = ownerFrameElement.marginWidth();
- if (marginWidth != -1)
- setIntegralAttribute(marginwidthAttr, marginWidth);
- int marginHeight = ownerFrameElement.marginHeight();
- if (marginHeight != -1)
- setIntegralAttribute(marginheightAttr, marginHeight);
- }
</del><ins>+ auto* ownerElement = document().ownerElement();
+ if (!is<HTMLFrameElementBase>(ownerElement))
+ return InsertionDone;
+
+ auto& ownerFrameElement = downcast<HTMLFrameElementBase>(*ownerElement);
</ins><span class="cx">
</span><ins>+ // Read values from the owner before setting any attributes, since setting an attribute can run arbitrary
+ // JavaScript, which might delete the owner element.
+ int marginWidth = ownerFrameElement.marginWidth();
+ int marginHeight = ownerFrameElement.marginHeight();
+
+ if (marginWidth != -1)
+ setIntegralAttribute(marginwidthAttr, marginWidth);
+ if (marginHeight != -1)
+ setIntegralAttribute(marginheightAttr, marginHeight);
+
</ins><span class="cx"> return InsertionDone;
</span><span class="cx"> }
</span><span class="cx">
</span></span></pre>
</div>
</div>
</body>
</html>