From f1da809abe8e3fdf61a572ded04c04f6b10c990d Mon Sep 17 00:00:00 2001 From: "marius.mlynski" Date: Thu, 15 Dec 2016 17:48:01 -0800 Subject: [Backport] CVE-2017-5006 Clear the owner element's widget in Document::shutdown(). FrameView::dispose() doesn't guarantee that the owner's widget is cleared and this could be problematic when it's overwritten in LocalFrame::createView() a short time later. BUG=673170 Change-Id: I1c03233033d09b74409c4d1da9b1b2cc4b17bf41 Review-Url: https://codereview.chromium.org/2563313002 Cr-Commit-Position: refs/heads/master@{#438977} Reviewed-by: Allan Sandfeld Jensen --- chromium/third_party/WebKit/Source/core/dom/Document.cpp | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/chromium/third_party/WebKit/Source/core/dom/Document.cpp b/chromium/third_party/WebKit/Source/core/dom/Document.cpp index b6988859da0..e2e0bdc36ea 100644 --- a/chromium/third_party/WebKit/Source/core/dom/Document.cpp +++ b/chromium/third_party/WebKit/Source/core/dom/Document.cpp @@ -2202,6 +2202,15 @@ void Document::detach(const AttachContext& context) // consistent state. ScriptForbiddenScope forbidScript; view()->dispose(); + + // If the widget of the document's frame owner doesn't match view() then + // FrameView::dispose() didn't clear the owner's widget. If we don't clear it + // here, it may be clobbered later in LocalFrame::createView(). See also + // https://crbug.com/673170 and the comment in FrameView::dispose(). + HTMLFrameOwnerElement* ownerElement = m_frame->deprecatedLocalOwner(); + if (ownerElement) + ownerElement->setWidget(nullptr); + m_markers->prepareForDestruction(); if (LocalDOMWindow* window = this->domWindow()) window->willDetachDocumentFromFrame(); -- cgit v1.2.3