angler-fishThe Vulnerability History Project

Protect DOM nodes in IndentOutdentCommand::tryIndentingAsListItem()

      This patch changes IndentOutdentCommand::tryIndentingAsListItem() to use RefPtr<T> instead of raw pointer for Node and Element not to remove during insertNodeBefore() and moveParagraphWIthClones() calls, which can execute user script to remove DOM nodes.

Note: When I tried to run a test case created by cluster fuzz, content_shell doesn't fail. It is hard to create a test case by hand.

BUG=294456
TEST=ClusterFuzz

Review URL: https://codereview.chromium.org/25691002

git-svn-id: svn://svn.chromium.org/blink/trunk@158727 bbb929c8-8fbe-4397-9dbb-9b2b20218538
by Milton the Roseate Spoonbill 2013-10-02 15:30:12 UTC
commit 24c7296e95a3f2518d9a84d262d806a87a07099a
Chromium Fix CVE-2013-2926
third_party/WebKit/Source/core/editing/IndentOutdentCommand.cpp
+11 -11
expand_less