[webkitgtk3/f21] Backport fix for use-after-free when destroying frame

[Tomas Popela]

commit 738dc9124658c9aca08c3e7ed584ef3ee5fb8fbe
Author: Tomas Popela <tpopela at redhat.com>
Date:   Tue Mar 10 07:17:50 2015 +0100

    Backport fix for use-after-free when destroying frame

 webkitgtk-2.4.8-g_object_destroyed.patch | 23 +++++++++++++++++++++++
 webkitgtk3.spec                          |  8 +++++++-
 2 files changed, 30 insertions(+), 1 deletion(-)
---
diff --git a/webkitgtk-2.4.8-g_object_destroyed.patch b/webkitgtk-2.4.8-g_object_destroyed.patch
new file mode 100644
index 0000000..479f1de
--- /dev/null
+++ b/webkitgtk-2.4.8-g_object_destroyed.patch
@@ -0,0 +1,23 @@
+diff --git a/Source/WebCore/bindings/gobject/GObjectEventListener.cpp b/Source/WebCore/bindings/gobject/GObjectEventListener.cpp
+index 76cf279..9d1b881 100644
+--- a/Source/WebCore/bindings/gobject/GObjectEventListener.cpp
++++ b/Source/WebCore/bindings/gobject/GObjectEventListener.cpp
+@@ -52,12 +52,13 @@ void GObjectEventListener::gobjectDestroyed()
+ {
+     ASSERT(m_coreTarget);
+ 
+-    // We must set m_coreTarget to null, because removeEventListener
+-    // may call the destructor as a side effect and we must be in the
+-    // proper state to prevent g_object_weak_unref.
+-    EventTarget* target = m_coreTarget;
++    // Protect 'this' class in case the 'm_coreTarget' holds the last reference,
++    // which may cause, inside removeEventListener(), free of this object
++    // and later use-after-free with the m_handler = 0; assignment.
++    RefPtr<GObjectEventListener> protect(this);
++
++    m_coreTarget->removeEventListener(m_domEventName.data(), this, m_capture);
+     m_coreTarget = 0;
+-    target->removeEventListener(m_domEventName.data(), this, m_capture);
+     m_handler = 0;
+ }
+ 
diff --git a/webkitgtk3.spec b/webkitgtk3.spec
index 9b71ce0..3e199b9 100644
--- a/webkitgtk3.spec
+++ b/webkitgtk3.spec
@@ -10,7 +10,7 @@
 
 Name:           webkitgtk3
 Version:        2.4.8
-Release:        1%{?dist}
+Release:        2%{?dist}
 Summary:        GTK+ Web content engine library
 
 Group:          Development/Libraries
@@ -26,6 +26,8 @@ Patch3:         webkitgtk-2.4.5-cloop_fix_32.patch
 Patch4:         webkitgtk-2.4.1-ppc64_align.patch
 # https://bugs.webkit.org/show_bug.cgi?id=140241
 Patch5:         webkitgtk-2.4.8-plugin_none.patch
+#https://bugs.webkit.org/show_bug.cgi?id=127474
+Patch6:         webkitgtk-2.4.8-g_object_destroyed.patch
 
 BuildRequires:  at-spi2-core-devel
 BuildRequires:  bison
@@ -94,6 +96,7 @@ This package contains developer documentation for %{name}.
 %patch1 -p1 -b .aarch64
 %patch2 -p1 -b .cloop_fix
 %patch5 -p1 -b .plugin_none
+%patch6 -p1 -b .g_object_destroyed
 %ifarch ppc s390
 %patch3 -p1 -b .cloop_fix_32
 %endif
@@ -203,6 +206,9 @@ find $RPM_BUILD_ROOT%{_libdir} -name "*.la" -delete
 %{_datadir}/gtk-doc/html/webkitdomgtk
 
 %changelog
+* Tue Mar 10 2015 Tomas Popela <tpopela at redhat.com> - 2.4.8-2
+- Backport fix for use-after-free when destroying frame
+
 * Wed Jan 07 2015 Tomas Popela <tpopela at redhat.com> - 2.4.8-1
 - Update to 2.4.8