diff options
| author | Steve Block <steveblock@google.com> | 2010-08-06 18:59:53 -0700 |
|---|---|---|
| committer | Android Git Automerger <android-git-automerger@android.com> | 2010-08-06 18:59:53 -0700 |
| commit | 373399bd97b28edc9ee0b6fafdce24cd3becc42c (patch) | |
| tree | cd95eb94e2d056a330853221a0f0dbd85188a0a8 | |
| parent | da53ac10c4ac5febda5ffc0b3273dabfeea30c04 (diff) | |
| parent | 7162fe0e3c5886b6c35f42c5cd9d9e83aa3785cf (diff) | |
| download | external_webkit-373399bd97b28edc9ee0b6fafdce24cd3becc42c.zip external_webkit-373399bd97b28edc9ee0b6fafdce24cd3becc42c.tar.gz external_webkit-373399bd97b28edc9ee0b6fafdce24cd3becc42c.tar.bz2 | |
am 7162fe0e: am 2b6ea029: Cherry-pick WebKit change 60984 to fix an exploitable crash when focus is changed
Merge commit '7162fe0e3c5886b6c35f42c5cd9d9e83aa3785cf' into gingerbread-plus-aosp
* commit '7162fe0e3c5886b6c35f42c5cd9d9e83aa3785cf':
Cherry-pick WebKit change 60984 to fix an exploitable crash when focus is changed
| -rw-r--r-- | WebCore/dom/Element.cpp | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/WebCore/dom/Element.cpp b/WebCore/dom/Element.cpp index 0a1bc75..e12d326 100644 --- a/WebCore/dom/Element.cpp +++ b/WebCore/dom/Element.cpp @@ -1259,8 +1259,12 @@ void Element::focus(bool restorePreviousSelection) return; } - if (Page* page = doc->page()) + RefPtr<Node> protect; + if (Page* page = doc->page()) { + // Focus and change event handlers can cause us to lose our last ref. + protect = this; page->focusController()->setFocusedNode(this, doc->frame()); + } // Setting the focused node above might have invalidated the layout due to scripts. doc->updateLayoutIgnorePendingStylesheets(); |