angler-fishThe Vulnerability History Project

Make &quotInsertHTML&quot and &quotIndent&quot commands to handle DOM tree modification during processing

      This patch makes &quotInsertHTML&quot and &quotIndent&quot commands to handle DOM tree modification during processing. When calling Node::insertBefore(), JavaScript may be executed, e.g. <iframe src=&quotjavascript:...&quot>, and it modifies DOM tree.

On issue 314469, use-after-free is caused at |startBlock| variable which holds raw Node pointer removed during script execution in ReplaceSelectionCommand::doApply().

Changes for CompositeEditCommand::cloneParagraphUnderNewElement() is similar to ReplaceSelectionCommand::doApply(). |outerNode| is removed during CompositeEditCommand::appendNode(), which inserts <iframe src=&quotjavascript:...&quot>.

BUG=314469
TEST=LayoutTests/editing/inserting/insert-with-javascript-protocol-crash.html

Review URL: https://codereview.chromium.org/64103002

git-svn-id: svn://svn.chromium.org/blink/trunk@161598 bbb929c8-8fbe-4397-9dbb-9b2b20218538
by Milton the Roseate Spoonbill 2013-11-08 10:06:18 UTC
commit 787c37304814f96e37345ffcab8509b4c7569da3
Chromium Fix CVE-2013-6635
third_party/WebKit/LayoutTests/editing/inserting/insert-with-javascript-protocol-crash-expected.txt
-1
third_party/WebKit/LayoutTests/editing/inserting/insert-with-javascript-protocol-crash.html
-37
third_party/WebKit/Source/core/editing/CompositeEditCommand.cpp
-5
third_party/WebKit/Source/core/editing/ReplaceSelectionCommand.cpp
+7 -12
expand_less