angler-fishThe Vulnerability History Project

Make TreeScopeEventContext have a RefPtr to TreeScope.rootNode to guard TreeScope.

      This fixes a use-after-free caused by TreeScope being freed while TreeScopeEventContext still needs it.
Because TreeScope itself isn't a RefCounted, guard it by having a RefPtr to treeScope.rootNode(), instead.

BUG=442806

Review URL: https://codereview.chromium.org/794123004

git-svn-id: svn://svn.chromium.org/blink/trunk@187435 bbb929c8-8fbe-4397-9dbb-9b2b20218538
by Marie the Vervet Monkey 2014-12-18 07:06:48 UTC
commit 388118e6169b92a1de01ab2988610464a26eaaf9
Chromium Fix CVE-2014-7930
third_party/WebKit/LayoutTests/fast/dom/shadow/event-path-after-deleting-tree-scope-crash-expected.txt
-3
third_party/WebKit/LayoutTests/fast/dom/shadow/event-path-after-deleting-tree-scope-crash.html
-14
third_party/WebKit/Source/core/events/TreeScopeEventContext.cpp
+2 -4
third_party/WebKit/Source/core/events/TreeScopeEventContext.h
-2
expand_less