angler-fishThe Vulnerability History Project

Revert 168169 &quotFix use-after-free of m_currentSpeechUtterance.&quot

      Wrong merge base when committing!

> Fix use-after-free of m_currentSpeechUtterance.
> 
> SpeechSynthesis.cpp incorrectly assumed that calling
> m_platformSpeechSynthesizer->cancel() would immediately call
> didFinishSpeaking or speakingErrorOccurred, which would null out
> m_currentSpeechUtterance. This assumption was true in WebKit/Mac, but
> Chromium's platform implementation is asynchronous, so that call may
> come later.
> 
> Fix the issue and simplify the logic by getting rid of the raw pointer
> to the current utterance altogether. Now the RefPtr at the front of the
> utterance queue is the current utterance, and the platform implementation
> is allowed to fire events on utterances that are no longer in the queue.
> 
> BUG=344881
> R=abarth@chromium.org
> 
> Committed: https://src.chromium.org/viewvc/blink?view=rev&revision=168092
> 
> Review URL: https://codereview.chromium.org/180553004

TBR=dmazzoni@google.com

Review URL: https://codereview.chromium.org/185093002

git-svn-id: svn://svn.chromium.org/blink/trunk@168170 bbb929c8-8fbe-4397-9dbb-9b2b20218538
by Ray the Dachshund 2014-02-28 23:47:02 UTC
commit 4dece178be222d15cad7a7ff2e2072ff81cc1764
Chromium Fix CVE-2014-1700
third_party/WebKit/Source/modules/speech/SpeechSynthesis.cpp
+7
expand_less