Use-after-free in RadioInputType::handleKeydownEvent
authorrniwa@webkit.org <rniwa@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 26 Jun 2013 10:49:02 +0000 (10:49 +0000)
committerrniwa@webkit.org <rniwa@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 26 Jun 2013 10:49:02 +0000 (10:49 +0000)
https://bugs.webkit.org/show_bug.cgi?id=118035

Reviewed by Kent Tamura.

Use RefPtr for inputElement since setFocusedNode could blow it away.

* html/RadioInputType.cpp:
(WebCore::RadioInputType::handleKeydownEvent):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@151986 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/WebCore/ChangeLog
Source/WebCore/html/RadioInputType.cpp

index 02c2f6a78e14ab8fbe7b117a6072dd6c90d580f1..bdf4b6fd383daed4172a2d0201e45918882105f7 100644 (file)
@@ -1,3 +1,15 @@
+2013-06-26  Ryosuke Niwa  <rniwa@webkit.org>
+
+        Use-after-free in RadioInputType::handleKeydownEvent
+        https://bugs.webkit.org/show_bug.cgi?id=118035
+
+        Reviewed by Kent Tamura.
+
+        Use RefPtr for inputElement since setFocusedNode could blow it away.
+
+        * html/RadioInputType.cpp:
+        (WebCore::RadioInputType::handleKeydownEvent):
+
 2013-06-26  Christophe Dumez  <ch.dumez@sisa.samsung.com>
 
         Get rid of multiple inheritence for SVGViewElement interface
index 00536c117029f04938c8b8d70e422ea0d511dd5b..0e75d751542c2e53e357135d6594be60ecc2ed8e 100644 (file)
@@ -93,7 +93,7 @@ void RadioInputType::handleKeydownEvent(KeyboardEvent* event)
         // Look for more radio buttons.
         if (!node->hasTagName(inputTag))
             continue;
-        HTMLInputElement* inputElement = static_cast<HTMLInputElement*>(node);
+        RefPtr<HTMLInputElement> inputElement = static_cast<HTMLInputElement*>(node);
         if (inputElement->form() != element()->form())
             break;
         if (inputElement->isRadioButton() && inputElement->name() == element()->name() && inputElement->isFocusable()) {