[webkit-reviews] review denied: [Bug 89722] Implement undoManager's undo, redo, length, position, clearUndo, and clearRedo : [Attachment 156514] Patch
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Aug 3 23:02:34 PDT 2012
Adam Barth <abarth at webkit.org> has denied review:
Bug 89722: Implement undoManager's undo, redo, length, position, clearUndo, and
clearRedo
https://bugs.webkit.org/show_bug.cgi?id=89722
Attachment 156514: Patch
https://bugs.webkit.org/attachment.cgi?id=156514&action=review
------- Additional Comments from Adam Barth <abarth at webkit.org>
View in context: https://bugs.webkit.org/attachment.cgi?id=156514&action=review
> Source/WebCore/bindings/js/DOMTransaction.cpp:43
> +DOMTransaction::DOMTransaction(DOMWrapperWorld* isolatedWorld)
Sooooooo much custom code!!!
> Source/WebCore/bindings/js/DOMTransaction.cpp:72
> +static bool getProperty(JSC::JSObject* object, const char* propertyName,
JSC::JSValue &value, JSC::ExecState* exec)
> +{
> + JSC::Identifier identifier(exec, propertyName);
> + JSC::PropertySlot slot(object);
> + if (!object->getPropertySlot(exec, identifier, slot))
> + return false;
> + if (exec->hadException())
> + return false;
> + value = slot.getValue(exec, identifier);
> + return !exec->hadException();
> +}
This code doesn't seem to have anything to do with DOMTransaction. Should this
be in a more general location?
> Source/WebCore/editing/UndoManager.cpp:89
> + entry[i - 1]->unapply();
As far as I can tell, unapply can run script, which means it can mutate
m_undoStack, which means this line of code is almost certainly a use-after-free
vulnerability.
More information about the webkit-reviews
mailing list