GuardMalloc crash in WebCore::HTMLFrameElementBase::marginHeight()
authorbfulgham@apple.com <bfulgham@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 26 Apr 2016 16:45:13 +0000 (16:45 +0000)
committerbfulgham@apple.com <bfulgham@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 26 Apr 2016 16:45:13 +0000 (16:45 +0000)
commit36695ebadd92a80f405406447530ee5cf0e8f2e8
tree4036b72a59d42649afdec05fafdd1f49988eeb62
parentfe7ad31b8d373ea33419d6f11a1db832dce40cf7
GuardMalloc crash in WebCore::HTMLFrameElementBase::marginHeight()
https://bugs.webkit.org/show_bug.cgi?id=157020
<rdar://problem/25148315>

Reviewed by Darin Adler.

Calls to setIntegralAttribute triggers event handling code, which can cause
the underlying m_frameOwnerElement member to be deleted. We could clone this
object, but since we only want the width and height we should just read them
while we know the object is in a good state, then execute the potentially
mutating methods.

Tested by imported/blink/fast/dom/HTMLBodyElement/body-inserting-iframe-crash.html.

* html/HTMLBodyElement.cpp:
(WebCore::HTMLBodyElement::insertedInto): Read margin width and height before
calling setIntegralAttribute.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@200091 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Source/WebCore/ChangeLog
Source/WebCore/html/HTMLBodyElement.cpp