https://bugs.webkit.org/show_bug.cgi?id=183395
<rdar://problem/
38055732>
Reviewed by Zalan Bujtas.
Source/WebCore:
In the case where a FrameSelection updates its appearance when m_appearanceUpdateTimer is fired, the
FrameSelection's Frame is unprotected, and can be removed by arbitrary script. This patch applies a simple
mitigation by wrapping the Frame in a Ref when firing the appearance update timer.
Test: editing/selection/iframe-update-selection-appearance.html
* editing/FrameSelection.cpp:
(WebCore::FrameSelection::appearanceUpdateTimerFired):
LayoutTests:
Add a new layout test that passes if we didn't crash.
* editing/selection/iframe-update-selection-appearance-expected.txt: Added.
* editing/selection/iframe-update-selection-appearance.html: Added.
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@230513
268f45cc-cd09-0410-ab3c-
d52691b4dbfc
+2018-04-10 Wenson Hsieh <wenson_hsieh@apple.com>
+
+ FrameSelection::appearanceUpdateTimerFired should be robust against layout passes underneath it
+ https://bugs.webkit.org/show_bug.cgi?id=183395
+ <rdar://problem/38055732>
+
+ Reviewed by Zalan Bujtas.
+
+ Add a new layout test that passes if we didn't crash.
+
+ * editing/selection/iframe-update-selection-appearance-expected.txt: Added.
+ * editing/selection/iframe-update-selection-appearance.html: Added.
+
2018-04-10 Nan Wang <n_wang@apple.com>
AX: Expose strong password fields on iOS
--- /dev/null
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
--- /dev/null
+<!DOCTYPE html>
+<html lang="en">
+<head>
+ <style>
+ body { -webkit-user-modify: read-only; }
+ </style>
+ <script src="../../resources/js-test.js"></script>
+ <script>
+ function reconnectSubframe() {
+ document.body.appendChild(document.querySelector("iframe"));
+ }
+
+ function go() {
+ jsTestIsAsync = true;
+ if (window.finishJSTest)
+ setTimeout(() => setTimeout(finishJSTest));
+
+ getSelection().setPosition(document.body);
+
+ if (window.internals)
+ setTimeout(() => internals.setCaptionsStyleSheetOverride("* { }"));
+
+ reconnectSubframe();
+ }
+ </script>
+</head>
+
+<body onload="go()">
+ <iframe hidden="true"></iframe>
+ <embed type="foobar" onbeforeload="reconnectSubframe()"></embed>
+</body>
+</html>
\ No newline at end of file
+2018-04-10 Wenson Hsieh <wenson_hsieh@apple.com>
+
+ FrameSelection::appearanceUpdateTimerFired should be robust against layout passes underneath it
+ https://bugs.webkit.org/show_bug.cgi?id=183395
+ <rdar://problem/38055732>
+
+ Reviewed by Zalan Bujtas.
+
+ In the case where a FrameSelection updates its appearance when m_appearanceUpdateTimer is fired, the
+ FrameSelection's Frame is unprotected, and can be removed by arbitrary script. This patch applies a simple
+ mitigation by wrapping the Frame in a Ref when firing the appearance update timer.
+
+ Test: editing/selection/iframe-update-selection-appearance.html
+
+ * editing/FrameSelection.cpp:
+ (WebCore::FrameSelection::appearanceUpdateTimerFired):
+
2018-04-10 Brent Fulgham <bfulgham@apple.com>
Unreviewed follow-up to r230468.
void FrameSelection::appearanceUpdateTimerFired()
{
+ Ref<Frame> protectedFrame(*m_frame);
updateAppearanceAfterLayoutOrStyleChange();
}
git://git.webkit.org / WebKit-https.git / commitdiff