[Webkit-unassigned] [Bug 64256] REGRESSION(r90552): platform/mac/accessibility/html-slider-indicator.html fails
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon Jul 11 02:33:28 PDT 2011
https://bugs.webkit.org/show_bug.cgi?id=64256
Kent Tamura <tkent at chromium.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #100256|review? |review-
Flag| |
--- Comment #2 from Kent Tamura <tkent at chromium.org> 2011-07-11 02:33:28 PST ---
(From update of attachment 100256)
View in context: https://bugs.webkit.org/attachment.cgi?id=100256&action=review
> Source/WebCore/html/RangeInputType.cpp:224
> element()->dispatchFormControlChangeEvent();
> +
> + if (AXObjectCache::accessibilityEnabled())
> + element()->document()->axObjectCache()->postNotification(element()->renderer(), AXObjectCache::AXValueChanged, true);
> }
dispatchFormControlChangeEvent() dispatch an 'change' event, so a JavaScript code runs in it.
The JavaScriptCode can delete the parent <input>, and can change the type of the <input>. So accessing element() after dispatchFormControlChangeEvent() causes a use-after-free.
You need to protect a reference of element() by RefPtr<> in order to keep <input> alive and in order to avoid 'this' access.
RefPtr<HTMLInputELement> input = element();
input->dispatchFormControlChangeEvent();
if (...)
input->document()->axObjectCache()->postNotification(input->renderer(), ...
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list