angler-fishThe Vulnerability History Project

Revert 60949 - Render crash in FormManager::FindCachedFormElement()

      To address the vulnerability of stale WebFrame pointers in the FormManager's cache this CL changes the cache from a map (with the WebFrame pointer as &quotkey&quot) to a flat vector of simplified &quotFormElement*&quot items.

To avoid leaking memory, we need to still observe |frameDetached|, and use that as a signal to reap any associated WebFormElements or WebFormControlElements.

BUG=48857
TEST=FormMananagerTest.*, and manual test of regular form filling, form filling a form with sub-iframes, and form filling a form with sub-frames.

Review URL: http://codereview.chromium.org/3492015

TBR=dhollowa@chromium.org
Review URL: http://codereview.chromium.org/3543003

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@60953 0039d316-1c4b-4281-b951-d872f2087c98
by Valerie the Drever 2010-09-29 17:24:54 UTC
commit 38dcd4ee1a5ca056ee486aa43657e89b510a71c1
Chromium Fix CVE-2010-4034
chrome/renderer/form_manager.cc
+67 -86
chrome/renderer/form_manager.h
+4 -6
expand_less