Disconnect UndoManager when its undo scope host is destroyed
authorcommit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sat, 18 Aug 2012 00:06:39 +0000 (00:06 +0000)
committercommit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sat, 18 Aug 2012 00:06:39 +0000 (00:06 +0000)
https://bugs.webkit.org/show_bug.cgi?id=94388

Patch by Sukolsak Sakshuwong <sukolsak@google.com> on 2012-08-17
Reviewed by Ryosuke Niwa.

Source/WebCore:

Disconnect UndoManager in Element's destructor to prevent
use-after-free vulnerabilities.

Test: editing/undomanager/undoscopehost-use-after-free.html

* dom/Element.cpp:
(WebCore::Element::~Element):

LayoutTests:

* editing/undomanager/undoscopehost-use-after-free-expected.txt: Added.
* editing/undomanager/undoscopehost-use-after-free.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@125951 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/editing/undomanager/undoscopehost-use-after-free-expected.txt [new file with mode: 0644]
LayoutTests/editing/undomanager/undoscopehost-use-after-free.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/dom/Element.cpp

index fb59e9a..198f644 100644 (file)
@@ -1,3 +1,13 @@
+2012-08-17  Sukolsak Sakshuwong  <sukolsak@google.com>
+
+        Disconnect UndoManager when its undo scope host is destroyed
+        https://bugs.webkit.org/show_bug.cgi?id=94388
+
+        Reviewed by Ryosuke Niwa.
+
+        * editing/undomanager/undoscopehost-use-after-free-expected.txt: Added.
+        * editing/undomanager/undoscopehost-use-after-free.html: Added.
+
 2012-08-17  Sheriff Bot  <webkit.review.bot@gmail.com>
 
         Unreviewed, rolling out r125922.
diff --git a/LayoutTests/editing/undomanager/undoscopehost-use-after-free-expected.txt b/LayoutTests/editing/undomanager/undoscopehost-use-after-free-expected.txt
new file mode 100644 (file)
index 0000000..700441d
--- /dev/null
@@ -0,0 +1,11 @@
+This tests that undoManager doesn't have use-after-free vulnerabilities after its undoScopeHost has been reclaimed by GC.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+call transact() after the undoScopeHost has been reclaimed.
+PASS undoManager.transact(transaction) threw exception Error: INVALID_ACCESS_ERR: DOM Exception 15.
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
diff --git a/LayoutTests/editing/undomanager/undoscopehost-use-after-free.html b/LayoutTests/editing/undomanager/undoscopehost-use-after-free.html
new file mode 100644 (file)
index 0000000..6e14fd1
--- /dev/null
@@ -0,0 +1,32 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src="../../fast/js/resources/js-test-pre.js"></script>
+</head>
+<body>
+<div id="div" undoscope></div>
+<script>
+description("This tests that undoManager doesn't have use-after-free vulnerabilities "
+    + "after its undoScopeHost has been reclaimed by GC.");
+
+var div = document.getElementById("div");
+var undoManager = div.undoManager;
+
+div.parentNode.removeChild(div);
+div = null;
+gc();
+
+var transaction = {
+    "execute": function() { },
+    "undo": function() { },
+    "redo": function() { }
+};
+
+debug("call transact() after the undoScopeHost has been reclaimed.");
+shouldThrow("undoManager.transact(transaction)", "'Error: INVALID_ACCESS_ERR: DOM Exception 15'");
+
+var successfullyParsed = true;
+</script>
+<script src="../../fast/js/resources/js-test-post.js"></script>
+</body>
+</html>
index 961a9ff..de62358 100644 (file)
@@ -1,3 +1,18 @@
+2012-08-17  Sukolsak Sakshuwong  <sukolsak@google.com>
+
+        Disconnect UndoManager when its undo scope host is destroyed
+        https://bugs.webkit.org/show_bug.cgi?id=94388
+
+        Reviewed by Ryosuke Niwa.
+
+        Disconnect UndoManager in Element's destructor to prevent
+        use-after-free vulnerabilities.
+
+        Test: editing/undomanager/undoscopehost-use-after-free.html
+
+        * dom/Element.cpp:
+        (WebCore::Element::~Element):
+
 2012-08-17  Dan Bernstein  <mitz@apple.com>
 
         Fixed incorrect references to JSVoidCallback.{cpp,h} in the project file.
index 09f84b2..3a8d029 100644 (file)
@@ -146,6 +146,13 @@ Element::~Element()
         ASSERT(m_attributeData);
         m_attributeData->detachAttrObjectsFromElement(this);
     }
+
+#if ENABLE(UNDO_MANAGER)
+    if (hasRareData() && elementRareData()->m_undoManager) {
+        elementRareData()->m_undoManager->disconnect();
+        elementRareData()->m_undoManager.clear();
+    }
+#endif
 }
 
 inline ElementRareData* Element::elementRareData() const