angler-fishThe Vulnerability History Project

Avoid using cross RenderView selection rendering

      This patch makes sure we pass |RenderObject| belong to RenderView in
|RenderView::setSelection|, which takes two |RenderObject|s for start and end of
selection, in |FrameSeleciton::updateAppearance|.

The bug is caused by |VisibleSelection::base| and |VisibleSelection::start|
are in different document, |base| points to IFRAME and |start| points |TextNode|
in IFRAME. This causes |RenderView|, which holds |RenderObject|s of selection
start points and end points, have dangling |RenderObject|'s. Because,
|RenderView| doesn't know destructed |RenderObject| belongs to another
|RenderView|.

BUG=356690
TEST=LayoutTests/undo/execCommand/crash-redo-with-iframes.html

Review URL: https://codereview.chromium.org/234463003

git-svn-id: svn://svn.chromium.org/blink/trunk@171440 bbb929c8-8fbe-4397-9dbb-9b2b20218538
by Milton the Roseate Spoonbill 2014-04-14 08:24:16 UTC
commit 3c7b24311c9bc909779984c297b43223dc6ac2f2
Chromium Fix CVE-2014-1742
third_party/WebKit/LayoutTests/editing/undo/crash-redo-with-iframes-expected.txt
-1
third_party/WebKit/LayoutTests/editing/undo/crash-redo-with-iframes.html
-42
third_party/WebKit/Source/core/editing/FrameSelection.cpp
+1 -2
expand_less