angler-fishThe Vulnerability History Project

Fix the logic that limits the number of frames in a page.

      This check apparently doesn't run soon enough, and we can create more than the
intended limit of 1000 frames. Once we hit 1024,
NodeRareData::m_connecetedFrameCount can overflow and we no longer fully detach
Frames from their owners at teardown.

BUG=493243
TEST=WebFrameTest.MaxFramesDetach

Review URL: https://codereview.chromium.org/1180603002

git-svn-id: svn://svn.chromium.org/blink/trunk@197139 bbb929c8-8fbe-4397-9dbb-9b2b20218538
by Loren the Western Gorilla 2015-06-15 21:26:44 UTC
commit 02ab4913c82188af2c7e440742a11d5231dbaa0e
Chromium Fix CVE-2015-1284
third_party/WebKit/Source/core/dom/NodeRareData.cpp
-6
third_party/WebKit/Source/core/dom/NodeRareData.h
+4 -1
third_party/WebKit/Source/core/frame/LocalFrame.cpp
+2
third_party/WebKit/Source/core/html/HTMLFrameOwnerElement.cpp
-4
third_party/WebKit/Source/web/tests/WebFrameTest.cpp
-8
third_party/WebKit/Source/web/tests/data/max-frames-detach.html
-7
expand_less