[Backport] CVE-2017-5006

Clear the owner element's widget in Document::shutdown().

FrameView::dispose() doesn't guarantee that the owner's widget is cleared
and this could be problematic when it's overwritten in
LocalFrame::createView() a short time later.

BUG=673170

Change-Id: I1c03233033d09b74409c4d1da9b1b2cc4b17bf41
Review-Url: https://codereview.chromium.org/2563313002
Cr-Commit-Position: refs/heads/master@{#438977}
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>

1 files changed, 9 insertions, 0 deletions

diff --git a/chromium/third_party/WebKit/Source/core/dom/Document.cpp b/chromium/third_party/WebKit/Source/core/dom/Document.cpp
index b6988859da0..e2e0bdc36ea 100644
--- a/chromium/third_party/WebKit/Source/core/dom/Document.cpp
+++ b/chromium/third_party/WebKit/Source/core/dom/Document.cpp
@@ -2202,6 +2202,15 @@ void Document::detach(const AttachContext& context)
     // consistent state.
     ScriptForbiddenScope forbidScript;
     view()->dispose();
+
+    // If the widget of the document's frame owner doesn't match view() then
+    // FrameView::dispose() didn't clear the owner's widget. If we don't clear it
+    // here, it may be clobbered later in LocalFrame::createView(). See also
+    // https://crbug.com/673170 and the comment in FrameView::dispose().
+    HTMLFrameOwnerElement* ownerElement = m_frame->deprecatedLocalOwner();
+    if (ownerElement)
+        ownerElement->setWidget(nullptr);
+
     m_markers->prepareForDestruction();
     if (LocalDOMWindow* window = this->domWindow())
         window->willDetachDocumentFromFrame();