Heap-use-after-free in DocumentLoader::stopLoading
authorAllan Sandfeld Jensen <allan.jensen@digia.com>
Wed, 23 Jan 2013 11:06:02 +0000 (12:06 +0100)
committerThe Qt Project <gerrit-noreply@qt-project.org>
Wed, 23 Jan 2013 17:59:15 +0000 (18:59 +0100)
commit9a0c51e753db9e4164df97801f132237e62387de
treed71db78a027e28e1ac8ac5c1cb46c6cd20bb05ff
parentcc73ba23ef1f3b28be84e7e5228298418a453b20
Heap-use-after-free in DocumentLoader::stopLoading

https://bugs.webkit.org/show_bug.cgi?id=103656

Reviewed by Eric Seidel.

Source/WebCore:

Test: fast/dom/ready-state-change-crash.html

* html/parser/HTMLDocumentParser.cpp:
(WebCore::HTMLDocumentParser::prepareToStopParsing): Bail out
if the parser is detached due to mutation event.
* loader/DocumentLoader.cpp:
(WebCore::DocumentLoader::stopLoading): Move the protectors for
frame and document loader to the start of the function. Call to
m_frame->loader()->stopLoading() can change document ready state
and fire mutation event which might blow the document loader from
underneath.

Change-Id: Ib51a1eb062e552eb0cfa7e4ac647e59a4c6b433d
Reviewed-by: Simon Hausmann <simon.hausmann@digia.com>
Source/WebCore/ChangeLog
Source/WebCore/html/parser/HTMLDocumentParser.cpp
Source/WebCore/loader/DocumentLoader.cpp