diff options
author | marius.mlynski <marius.mlynski@gmail.com> | 2016-12-15 17:48:01 -0800 |
---|---|---|
committer | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2017-04-20 07:38:47 +0000 |
commit | f1da809abe8e3fdf61a572ded04c04f6b10c990d (patch) | |
tree | 9376d10b128cc1d9cdd27024892d5c77d4ec7ca9 | |
parent | 64fdd317d4127142ad9e967197a2df6ac81ef55f (diff) |
[Backport] CVE-2017-5006
Clear the owner element's widget in Document::shutdown().
FrameView::dispose() doesn't guarantee that the owner's widget is cleared
and this could be problematic when it's overwritten in
LocalFrame::createView() a short time later.
BUG=673170
Change-Id: I1c03233033d09b74409c4d1da9b1b2cc4b17bf41
Review-Url: https://codereview.chromium.org/2563313002
Cr-Commit-Position: refs/heads/master@{#438977}
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
-rw-r--r-- | chromium/third_party/WebKit/Source/core/dom/Document.cpp | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/chromium/third_party/WebKit/Source/core/dom/Document.cpp b/chromium/third_party/WebKit/Source/core/dom/Document.cpp index b6988859da0..e2e0bdc36ea 100644 --- a/chromium/third_party/WebKit/Source/core/dom/Document.cpp +++ b/chromium/third_party/WebKit/Source/core/dom/Document.cpp @@ -2202,6 +2202,15 @@ void Document::detach(const AttachContext& context) // consistent state. ScriptForbiddenScope forbidScript; view()->dispose(); + + // If the widget of the document's frame owner doesn't match view() then + // FrameView::dispose() didn't clear the owner's widget. If we don't clear it + // here, it may be clobbered later in LocalFrame::createView(). See also + // https://crbug.com/673170 and the comment in FrameView::dispose(). + HTMLFrameOwnerElement* ownerElement = m_frame->deprecatedLocalOwner(); + if (ownerElement) + ownerElement->setWidget(nullptr); + m_markers->prepareForDestruction(); if (LocalDOMWindow* window = this->domWindow()) window->willDetachDocumentFromFrame(); |