[webkitgtk3/f21] Backport fix for use-after-free when destroying frame
Tomas Popela
tpopela at fedoraproject.org
Tue Mar 10 06:18:31 UTC 2015
commit 738dc9124658c9aca08c3e7ed584ef3ee5fb8fbe
Author: Tomas Popela <tpopela at redhat.com>
Date: Tue Mar 10 07:17:50 2015 +0100
Backport fix for use-after-free when destroying frame
webkitgtk-2.4.8-g_object_destroyed.patch | 23 +++++++++++++++++++++++
webkitgtk3.spec | 8 +++++++-
2 files changed, 30 insertions(+), 1 deletion(-)
---
diff --git a/webkitgtk-2.4.8-g_object_destroyed.patch b/webkitgtk-2.4.8-g_object_destroyed.patch
new file mode 100644
index 0000000..479f1de
--- /dev/null
+++ b/webkitgtk-2.4.8-g_object_destroyed.patch
@@ -0,0 +1,23 @@
+diff --git a/Source/WebCore/bindings/gobject/GObjectEventListener.cpp b/Source/WebCore/bindings/gobject/GObjectEventListener.cpp
+index 76cf279..9d1b881 100644
+--- a/Source/WebCore/bindings/gobject/GObjectEventListener.cpp
++++ b/Source/WebCore/bindings/gobject/GObjectEventListener.cpp
+@@ -52,12 +52,13 @@ void GObjectEventListener::gobjectDestroyed()
+ {
+ ASSERT(m_coreTarget);
+
+- // We must set m_coreTarget to null, because removeEventListener
+- // may call the destructor as a side effect and we must be in the
+- // proper state to prevent g_object_weak_unref.
+- EventTarget* target = m_coreTarget;
++ // Protect 'this' class in case the 'm_coreTarget' holds the last reference,
++ // which may cause, inside removeEventListener(), free of this object
++ // and later use-after-free with the m_handler = 0; assignment.
++ RefPtr<GObjectEventListener> protect(this);
++
++ m_coreTarget->removeEventListener(m_domEventName.data(), this, m_capture);
+ m_coreTarget = 0;
+- target->removeEventListener(m_domEventName.data(), this, m_capture);
+ m_handler = 0;
+ }
+
diff --git a/webkitgtk3.spec b/webkitgtk3.spec
index 9b71ce0..3e199b9 100644
--- a/webkitgtk3.spec
+++ b/webkitgtk3.spec
@@ -10,7 +10,7 @@
Name: webkitgtk3
Version: 2.4.8
-Release: 1%{?dist}
+Release: 2%{?dist}
Summary: GTK+ Web content engine library
Group: Development/Libraries
@@ -26,6 +26,8 @@ Patch3: webkitgtk-2.4.5-cloop_fix_32.patch
Patch4: webkitgtk-2.4.1-ppc64_align.patch
# https://bugs.webkit.org/show_bug.cgi?id=140241
Patch5: webkitgtk-2.4.8-plugin_none.patch
+#https://bugs.webkit.org/show_bug.cgi?id=127474
+Patch6: webkitgtk-2.4.8-g_object_destroyed.patch
BuildRequires: at-spi2-core-devel
BuildRequires: bison
@@ -94,6 +96,7 @@ This package contains developer documentation for %{name}.
%patch1 -p1 -b .aarch64
%patch2 -p1 -b .cloop_fix
%patch5 -p1 -b .plugin_none
+%patch6 -p1 -b .g_object_destroyed
%ifarch ppc s390
%patch3 -p1 -b .cloop_fix_32
%endif
@@ -203,6 +206,9 @@ find $RPM_BUILD_ROOT%{_libdir} -name "*.la" -delete
%{_datadir}/gtk-doc/html/webkitdomgtk
%changelog
+* Tue Mar 10 2015 Tomas Popela <tpopela at redhat.com> - 2.4.8-2
+- Backport fix for use-after-free when destroying frame
+
* Wed Jan 07 2015 Tomas Popela <tpopela at redhat.com> - 2.4.8-1
- Update to 2.4.8
More information about the scm-commits
mailing list