Heap-use-after-free in WebCore::EventHandler::handleMousePressEvent
authorinferno@chromium.org <inferno@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 28 Nov 2012 22:53:55 +0000 (22:53 +0000)
committerinferno@chromium.org <inferno@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 28 Nov 2012 22:53:55 +0000 (22:53 +0000)
commitc5bebe4826974ee698b372c0f3f85075ec043324
tree5b9dd1963f13b3dc07b26cacb44642e870f762b4
parentc7d9e267d6fc27f87578b085e54d6a678b866e69
Heap-use-after-free in WebCore::EventHandler::handleMousePressEvent
https://bugs.webkit.org/show_bug.cgi?id=101098

Reviewed by Adam Barth.

|subframe| can be blown away inside passMousePressEventToSubframe
call. Use RefPtr to protect it in handleMousePressEvent function.
We use similar approach in handleMouseMoveEvent function.

No new tests. Test is extremely time dependent and needs to trigger
interaction gesture. Reproduced on ClusterFuzz.

* page/EventHandler.cpp:
(WebCore::EventHandler::handleMousePressEvent):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@136062 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Source/WebCore/ChangeLog
Source/WebCore/page/EventHandler.cpp