[webkitgtk3] Backport fix for use-after-free when destroying frame
Tomas Popela
tpopela at fedoraproject.org
Tue Mar 10 06:27:55 UTC 2015
commit 9ec7d79f874d10c7efe3f568814952f9216f3355
Author: Tomas Popela <tpopela at redhat.com>
Date: Tue Mar 10 07:27:49 2015 +0100
Backport fix for use-after-free when destroying frame
webkitgtk-2.4.8-g_object_destroyed.patch | 23 +++++++++++++++++++++++
webkitgtk3.spec | 8 +++++++-
2 files changed, 30 insertions(+), 1 deletion(-)
---
diff --git a/webkitgtk-2.4.8-g_object_destroyed.patch b/webkitgtk-2.4.8-g_object_destroyed.patch
new file mode 100644
index 0000000..479f1de
--- /dev/null
+++ b/webkitgtk-2.4.8-g_object_destroyed.patch
@@ -0,0 +1,23 @@
+diff --git a/Source/WebCore/bindings/gobject/GObjectEventListener.cpp b/Source/WebCore/bindings/gobject/GObjectEventListener.cpp
+index 76cf279..9d1b881 100644
+--- a/Source/WebCore/bindings/gobject/GObjectEventListener.cpp
++++ b/Source/WebCore/bindings/gobject/GObjectEventListener.cpp
+@@ -52,12 +52,13 @@ void GObjectEventListener::gobjectDestroyed()
+ {
+ ASSERT(m_coreTarget);
+
+- // We must set m_coreTarget to null, because removeEventListener
+- // may call the destructor as a side effect and we must be in the
+- // proper state to prevent g_object_weak_unref.
+- EventTarget* target = m_coreTarget;
++ // Protect 'this' class in case the 'm_coreTarget' holds the last reference,
++ // which may cause, inside removeEventListener(), free of this object
++ // and later use-after-free with the m_handler = 0; assignment.
++ RefPtr<GObjectEventListener> protect(this);
++
++ m_coreTarget->removeEventListener(m_domEventName.data(), this, m_capture);
+ m_coreTarget = 0;
+- target->removeEventListener(m_domEventName.data(), this, m_capture);
+ m_handler = 0;
+ }
+
diff --git a/webkitgtk3.spec b/webkitgtk3.spec
index 46a2782..c96b968 100644
--- a/webkitgtk3.spec
+++ b/webkitgtk3.spec
@@ -10,7 +10,7 @@
Name: webkitgtk3
Version: 2.4.8
-Release: 5%{?dist}
+Release: 6%{?dist}
Summary: GTK+ Web content engine library
Group: Development/Libraries
@@ -32,6 +32,8 @@ Patch6: webkitgtk-2.4.8-gcc5.patch
Patch7: webkitgtk-2.4.8-gmutexlocker.patch
# https://bugs.webkit.org/show_bug.cgi?id=142074
Patch8: webkitgtk-2.4.8-user-agent.patch
+#https://bugs.webkit.org/show_bug.cgi?id=127474
+Patch9: webkitgtk-2.4.8-g_object_destroyed.patch
BuildRequires: at-spi2-core-devel
BuildRequires: bison
@@ -103,6 +105,7 @@ This package contains developer documentation for %{name}.
%patch6 -p1 -b .gcc5
%patch7 -p1 -b .gmutex_locker
%patch8 -p1 -b .user_agent
+%patch9 -p1 -b .g_object_destroyed
%ifarch ppc s390
%patch3 -p1 -b .cloop_fix_32
%endif
@@ -221,6 +224,9 @@ find $RPM_BUILD_ROOT%{_libdir} -name "*.la" -delete
%{_datadir}/gtk-doc/html/webkitdomgtk
%changelog
+* Tue Mar 10 2015 Tomas Popela <tpopela at redhat.com> - 2.4.8-6
+- Backport fix for use-after-free when destroying frame
+
* Fri Feb 27 2015 Michael Catanzaro <mcatanzaro at gnome.org> - 2.4.8-5
- Add Fedora branding to the user agent
More information about the scm-commits
mailing list