angler-fishThe Vulnerability History Project

Render crash in FormManager::FindCachedFormElement()

      To address the vulnerability of stale WebFrame pointers in the FormManager's cache this CL changes the cache from a map (with the WebFrame pointer as &quotkey&quot) to a flat vector of simplified &quotFormElement*&quot items.

To avoid leaking memory, we need to still observe |frameDetached|, and use that as a signal to reap any associated WebFormElements or WebFormControlElements.

BUG=48857
TEST=FormMananagerTest.*, and manual test of regular form filling, form filling a form with sub-iframes, and form filling a form with sub-frames.

Committed: http://src.chromium.org/viewvc/chrome?view=rev&revision=60949

Review URL: http://codereview.chromium.org/3492015

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@60999 0039d316-1c4b-4281-b951-d872f2087c98
by Valerie the Drever 2010-09-29 22:18:48 UTC
commit 9503ca35d3f9ecd86f4766baf4ad9216fef70527
Chromium Fix CVE-2010-4034
chrome/renderer/form_manager.cc
+86 -67
chrome/renderer/form_manager.h
+6 -4
expand_less