From 2b6ea0299b0340ff815b7beab6e7491ff5e4d6c0 Mon Sep 17 00:00:00 2001
From: Steve Block <steveblock@google.com>
Date: Thu, 5 Aug 2010 12:10:12 +0100
Subject: Cherry-pick WebKit change 60984 to fix an exploitable crash when
 focus is changed

Bug: 2895569
Change-Id: I76f48ca7d6ddee996127254c5f1f00e355318527
---
 WebCore/dom/Element.cpp | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/WebCore/dom/Element.cpp b/WebCore/dom/Element.cpp
index 0a1bc75..e12d326 100644
--- a/WebCore/dom/Element.cpp
+++ b/WebCore/dom/Element.cpp
@@ -1259,8 +1259,12 @@ void Element::focus(bool restorePreviousSelection)
             return;
     }
 
-    if (Page* page = doc->page())
+    RefPtr<Node> protect;
+    if (Page* page = doc->page()) {
+        // Focus and change event handlers can cause us to lose our last ref.
+        protect = this;
         page->focusController()->setFocusedNode(this, doc->frame());
+    }
 
     // Setting the focused node above might have invalidated the layout due to scripts.
     doc->updateLayoutIgnorePendingStylesheets();
-- 
cgit v1.1