From 88ea388f2d61fc4e081b3b4f077cd5f5acd296a1 Mon Sep 17 00:00:00 2001 From: Steve Block Date: Thu, 5 Aug 2010 12:10:12 +0100 Subject: Cherry-pick WebKit change 60984 to fix an exploitable crash when focus is changed Bug: 2895569 Change-Id: I76f48ca7d6ddee996127254c5f1f00e355318527 --- WebCore/dom/Element.cpp | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/WebCore/dom/Element.cpp b/WebCore/dom/Element.cpp index 0a1bc75..e12d326 100644 --- a/WebCore/dom/Element.cpp +++ b/WebCore/dom/Element.cpp @@ -1259,8 +1259,12 @@ void Element::focus(bool restorePreviousSelection) return; } - if (Page* page = doc->page()) + RefPtr protect; + if (Page* page = doc->page()) { + // Focus and change event handlers can cause us to lose our last ref. + protect = this; page->focusController()->setFocusedNode(this, doc->frame()); + } // Setting the focused node above might have invalidated the layout due to scripts. doc->updateLayoutIgnorePendingStylesheets(); -- cgit v1.1 From 0433734318551aac3b7b82b9d8ab5d485d7d0439 Mon Sep 17 00:00:00 2001 From: Steve Block Date: Thu, 5 Aug 2010 12:12:56 +0100 Subject: Cherry-pick WebKit change 61921 to fix exploitable memory corruption in RenderBoxModelObject Bug: 2895569 Change-Id: Iea09dc4fdc35e68ccad36deed2132f02e3778e34 --- WebCore/platform/text/BidiResolver.h | 67 +++++++++++++++++++++--------------- 1 file changed, 39 insertions(+), 28 deletions(-) diff --git a/WebCore/platform/text/BidiResolver.h b/WebCore/platform/text/BidiResolver.h index 286cdcd..a99fd01 100644 --- a/WebCore/platform/text/BidiResolver.h +++ b/WebCore/platform/text/BidiResolver.h @@ -806,35 +806,33 @@ void BidiResolver::createBidiRunsForLine(const Iterator& end, boo break; } - if (pastEnd) { - if (eor == current) { - if (!reachedEndOfLine) { - eor = endOfLine; - switch (m_status.eor) { - case LeftToRight: - case RightToLeft: - case ArabicNumber: - m_direction = m_status.eor; - break; - case EuropeanNumber: - m_direction = m_status.lastStrong == LeftToRight ? LeftToRight : EuropeanNumber; - break; - default: - ASSERT(false); - } - appendRun(); + if (pastEnd && eor == current) { + if (!reachedEndOfLine) { + eor = endOfLine; + switch (m_status.eor) { + case LeftToRight: + case RightToLeft: + case ArabicNumber: + m_direction = m_status.eor; + break; + case EuropeanNumber: + m_direction = m_status.lastStrong == LeftToRight ? LeftToRight : EuropeanNumber; + break; + default: + ASSERT(false); } - current = end; - m_status = stateAtEnd.m_status; - sor = stateAtEnd.sor; - eor = stateAtEnd.eor; - last = stateAtEnd.last; - reachedEndOfLine = stateAtEnd.reachedEndOfLine; - lastBeforeET = stateAtEnd.lastBeforeET; - emptyRun = stateAtEnd.emptyRun; - m_direction = OtherNeutral; - break; + appendRun(); } + current = end; + m_status = stateAtEnd.m_status; + sor = stateAtEnd.sor; + eor = stateAtEnd.eor; + last = stateAtEnd.last; + reachedEndOfLine = stateAtEnd.reachedEndOfLine; + lastBeforeET = stateAtEnd.lastBeforeET; + emptyRun = stateAtEnd.emptyRun; + m_direction = OtherNeutral; + break; } // set m_status.last as needed. @@ -887,8 +885,21 @@ void BidiResolver::createBidiRunsForLine(const Iterator& end, boo } increment(); - if (!m_currentExplicitEmbeddingSequence.isEmpty()) + if (!m_currentExplicitEmbeddingSequence.isEmpty()) { commitExplicitEmbedding(); + if (pastEnd) { + current = end; + m_status = stateAtEnd.m_status; + sor = stateAtEnd.sor; + eor = stateAtEnd.eor; + last = stateAtEnd.last; + reachedEndOfLine = stateAtEnd.reachedEndOfLine; + lastBeforeET = stateAtEnd.lastBeforeET; + emptyRun = stateAtEnd.emptyRun; + m_direction = OtherNeutral; + break; + } + } if (emptyRun && (dirCurrent == RightToLeftEmbedding || dirCurrent == LeftToRightEmbedding -- cgit v1.1