REGRESSION (r123848): Heap-use-after-free in WebCore::CachedResource::didAddClient.
authorcommit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 10 Aug 2012 16:35:14 +0000 (16:35 +0000)
committercommit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 10 Aug 2012 16:35:14 +0000 (16:35 +0000)
commitcb336bf0a9459bb1aae81cabb5b0d3f8f068b99f
tree49fe4f59128012fb2bf2340a3c47190ae0711d81
parentfb0e712076afa0094d1dee881cb8c749d571cb04
REGRESSION (r123848): Heap-use-after-free in WebCore::CachedResource::didAddClient.
https://bugs.webkit.org/show_bug.cgi?id=93632
-and corresponding-
<http://crbug.com/140656>

Patch by Huang Dongsung <luxtella@company100.net> on 2012-08-10
Reviewed by Antti Koivisto.

CachedCSSStyleSheet::didAddClient() calls CachedStyleSheetClient::setCSSStyleSheet
and HTMLLnkElement can be CachedStyleSheetClient.
HTMLLinkElement::setCSSStyleSheet may cause scripts to be executed, which could
destroy the HTMLLinkElement instance. After calliing
CachedStyleSheetClient::setCSSStyleSheet, using the CachedStyleSheetClient
instance can cause Heap-use-after-free.

r115625 prevents HTMLLinkElement from being destroyed during
HTMLLinkElement::setCSSStyleSheet, but r115625 doesn't prevent HTMLLinkElement
from being destroyed after HTMLLinkElement::setCSSStyleSheet.

So this patch calls CachedResource::didAddClient() before calling
setCSSStyleSheet() to make sure its client is not destroyed.

No new tests. it's covered by fast/css/cached-sheet-restore-crash.html.

* loader/cache/CachedCSSStyleSheet.cpp:
(WebCore::CachedCSSStyleSheet::didAddClient):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@125292 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Source/WebCore/ChangeLog
Source/WebCore/loader/cache/CachedCSSStyleSheet.cpp