debian/patches/0249-webkit-stale-frame-pointer.diff


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161

qt-bugs@ issue : none yet
Trolltech task ID : none yet
bugs.kde.org number : none
applied: no
author: Apple

this fixes CVE-2008-3632:

Use-after-free vulnerability in WebKit in Apple iPod touch 1.1 through 2.0.2,
and iPhone 1.0 through 2.0.2, allows remote attackers to execute arbitrary code
or cause a denial of service (application crash) via a web page with crafted
Cascading Style Sheets (CSS) import statements.


--- a/src/3rdparty/webkit/WebCore/dom/Document.cpp
+++ b/src/3rdparty/webkit/WebCore/dom/Document.cpp
@@ -291,9 +291,8 @@ Document::Document(DOMImplementation* im
     m_renderArena = 0;
 
     m_axObjectCache = 0;
-    
-    // FIXME: DocLoader probably no longer needs the frame argument
-    m_docLoader = new DocLoader(frame, this);
+
+    m_docLoader = new DocLoader(this);
 
     visuallyOrdered = false;
     m_bParsing = false;
@@ -1169,15 +1168,23 @@ void Document::detach()
     if (render)
         render->destroy();
 
-    // FIXME: is this needed or desirable?
-    m_frame = 0;
-    
+    // This is required, as our Frame might delete itself as soon as it detaches
+    // us.  However, this violates Node::detach() symantics, as it's never
+    // possible to re-attach.  Eventually Document::detach() should be renamed
+    // or this call made explicit in each of the callers of Document::detach().
+    clearFramePointer();
+
     if (m_renderArena) {
         delete m_renderArena;
         m_renderArena = 0;
     }
 }
 
+void Document::clearFramePointer()
+{
+    m_frame = 0;
+}
+
 void Document::removeAllEventListenersFromAllNodes()
 {
     m_windowEventListeners.clear();
--- a/src/3rdparty/webkit/WebCore/dom/Document.h
+++ b/src/3rdparty/webkit/WebCore/dom/Document.h
@@ -344,6 +344,8 @@ public:
     virtual void attach();
     virtual void detach();
 
+    void clearFramePointer();
+
     RenderArena* renderArena() { return m_renderArena; }
 
     AXObjectCache* axObjectCache() const;
--- a/src/3rdparty/webkit/WebCore/loader/DocLoader.cpp
+++ b/src/3rdparty/webkit/WebCore/loader/DocLoader.cpp
@@ -40,10 +40,9 @@
 
 namespace WebCore {
 
-DocLoader::DocLoader(Frame *frame, Document* doc)
+DocLoader::DocLoader(Document* doc)
     : m_cache(cache())
     , m_cachePolicy(CachePolicyVerify)
-    , m_frame(frame)
     , m_doc(doc)
     , m_requestCount(0)
     , m_autoLoadImages(true)
@@ -53,6 +52,11 @@ DocLoader::DocLoader(Frame *frame, Docum
     m_cache->addDocLoader(this);
 }
 
+Frame* DocLoader::frame() const
+{
+    return m_doc->frame();
+}
+
 DocLoader::~DocLoader()
 {
     HashMap<String, CachedResource*>::iterator end = m_docResources.end();
@@ -146,7 +150,7 @@ CachedResource* DocLoader::requestResour
         }
     }
                                                           
-    if (m_frame && m_frame->loader()->isReloading())
+    if (frame() && frame()->loader()->isReloading())
         setCachePolicy(CachePolicyReload);
 
     checkForReload(fullURL);
@@ -197,8 +201,8 @@ void DocLoader::removeCachedResource(Cac
 void DocLoader::setLoadInProgress(bool load)
 {
     m_loadInProgress = load;
-    if (!load && m_frame)
-        m_frame->loader()->loadDone();
+    if (!load && frame())
+        frame()->loader()->loadDone();
 }
 
 void DocLoader::checkCacheObjectStatus(CachedResource* resource)
@@ -217,7 +221,7 @@ void DocLoader::checkCacheObjectStatus(C
     }
     
     // Notify the caller that we "loaded".
-    if (!m_frame || m_frame->loader()->haveToldBridgeAboutLoad(resource->url()))
+    if (!frame() || frame()->loader()->haveToldBridgeAboutLoad(resource->url()))
         return;
     
     ResourceRequest request(resource->url());
@@ -226,9 +230,9 @@ void DocLoader::checkCacheObjectStatus(C
     
     if (resource->sendResourceLoadCallbacks()) {
         // FIXME: If the WebKit client changes or cancels the request, WebCore does not respect this and continues the load.
-        m_frame->loader()->loadedResourceFromMemoryCache(request, response, data ? data->size() : 0);
+        frame()->loader()->loadedResourceFromMemoryCache(request, response, data ? data->size() : 0);
     }
-    m_frame->loader()->didTellBridgeAboutLoad(resource->url());
+    frame()->loader()->didTellBridgeAboutLoad(resource->url());
 }
 
 void DocLoader::incrementRequestCount()
--- a/src/3rdparty/webkit/WebCore/loader/DocLoader.h
+++ b/src/3rdparty/webkit/WebCore/loader/DocLoader.h
@@ -49,7 +49,7 @@ friend class Cache;
 friend class HTMLImageLoader;
 
 public:
-    DocLoader(Frame*, Document*);
+    DocLoader(Document*);
     ~DocLoader();
 
     CachedImage* requestImage(const String& url);
@@ -73,7 +73,7 @@ public:
     CachePolicy cachePolicy() const { return m_cachePolicy; }
     void setCachePolicy(CachePolicy);
     
-    Frame* frame() const { return m_frame; }
+    Frame* frame() const; // Can be NULL
     Document* doc() const { return m_doc; }
 
     void removeCachedResource(CachedResource*) const;
@@ -100,7 +100,6 @@ private:
     HashSet<String> m_reloadedURLs;
     mutable HashMap<String, CachedResource*> m_docResources;
     CachePolicy m_cachePolicy;
-    Frame* m_frame;
     Document *m_doc;
     
     int m_requestCount;