Heap-use-after-free in WebCore::XMLDocumentParser::doEnd
authorAllan Sandfeld Jensen <allan.jensen@digia.com>
Wed, 23 Jan 2013 11:17:32 +0000 (12:17 +0100)
committerThe Qt Project <gerrit-noreply@qt-project.org>
Wed, 23 Jan 2013 17:59:21 +0000 (18:59 +0100)
commitc0a3b64d8e6f8eac5a8e65cdb337e24e112da2c3
tree2241523e73cd66381c519dd083ef7caece6fe979
parent9a0c51e753db9e4164df97801f132237e62387de
Heap-use-after-free in WebCore::XMLDocumentParser::doEnd

https://bugs.webkit.org/show_bug.cgi?id=100152

Reviewed by Adam Barth.

XMLDocumentParser can be blown away inside document()->styleResolverChanged()
call. Protect it with a local RefPtr in Document::explitClose.

No new tests. The site specific dependencies are hard to minimize.

* dom/Document.cpp:
(WebCore::Document::explicitClose): RefPtr m_parser into a local, since
it can be detached and nulled out in DocumentWriter::end().
* xml/parser/XMLDocumentParser.cpp:
(WebCore::XMLDocumentParser::end): Bail out when we are detached.
* xml/parser/XMLDocumentParserLibxml2.cpp:
(WebCore::XMLDocumentParser::doEnd): Bail out when we are detached.
* xml/parser/XMLDocumentParserQt.cpp:
(WebCore::XMLDocumentParser::doEnd): Bail out when we are detached.

Change-Id: If7ff9142c561391e7c30632a9b8fb9cbb284fb2c
Reviewed-by: Simon Hausmann <simon.hausmann@digia.com>
Source/WebCore/ChangeLog
Source/WebCore/dom/Document.cpp
Source/WebCore/xml/parser/XMLDocumentParser.cpp
Source/WebCore/xml/parser/XMLDocumentParserLibxml2.cpp
Source/WebCore/xml/parser/XMLDocumentParserQt.cpp