use after free in WebCore::DocumentOrderedMap::remove / WebCore::TreeScope::removeEle...
authorZalan Bujtas <zalan@apple.com>
Fri, 4 Jul 2014 08:30:16 +0000 (10:30 +0200)
committerAllan Sandfeld Jensen <allan.jensen@digia.com>
Fri, 4 Jul 2014 11:26:11 +0000 (13:26 +0200)
commitcacab2c107e03cd460bcca734b5dd34f825305ea
tree06d90a007998f7f66263c99f864f9699fa7fe11b
parent68973acc409432af35a2a14be86d4fdb85cc6004
use after free in WebCore::DocumentOrderedMap::remove / WebCore::TreeScope::removeElementById

https://bugs.webkit.org/show_bug.cgi?id=121324

Reviewed by Ryosuke Niwa.

Update the document ordered map for an image element before dispatching
load or error events
when it's inserted into a document.

Source/WebCore:

Test: fast/dom/modify-node-and-while-in-the-callback-too-crash.html

* dom/DocumentOrderedMap.cpp: defensive fix to avoid use after free
issues.
(WebCore::DocumentOrderedMap::remove):
* html/HTMLImageElement.cpp:
(WebCore::HTMLImageElement::insertedInto):
* loader/ImageLoader.cpp:
(WebCore::ImageLoader::updateFromElement): setting m_failedLoadURL makes
repeated updateFromElement calls return early.

Change-Id: I305e56de969d0efe3dc67930cdf585a201e8c6a5
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@159481 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Reviewed-by: Michael Bruning <michael.bruning@digia.com>
Source/WebCore/dom/DocumentOrderedMap.cpp
Source/WebCore/html/HTMLImageElement.cpp
Source/WebCore/loader/ImageLoader.cpp