angler-fishThe Vulnerability History Project

Use RefPtr for MutationObserver in MutationObserverInterestGroup.

      In MutaionObserverInterestGroup, MutationObservers were held in HashSet
as raw pointers.  In case a MutationObserver is gone while mutation
events are collected (and garbage collector collects the object),
it causes use-after-free while the code tries to enqueue the recorded
mutation events.  Use RefPtr<> to hold the pointer so that the object
will be kept until it goes out of scope.

BUG=557981
TEST=fast/dom/MutationObserver/mutation-and-deletion-race.html

Review URL: https://codereview.chromium.org/1463433002

Cr-Commit-Position: refs/heads/master@{#360541}
by Betty the Pygmy Marmoset 2015-11-19 07:17:44 UTC
commit a17c2c87065be2c4dcb586583b1d69a5c85dae20
Chromium Fix CVE-2015-6789
third_party/WebKit/LayoutTests/fast/dom/MutationObserver/mutation-and-deletion-race-expected.txt
-9
third_party/WebKit/LayoutTests/fast/dom/MutationObserver/mutation-and-deletion-race.html
-24
third_party/WebKit/Source/core/dom/MutationObserverInterestGroup.cpp
+3 -3
third_party/WebKit/Source/core/dom/MutationObserverInterestGroup.h
+2 -2
third_party/WebKit/Source/core/dom/Node.cpp
+3 -3
third_party/WebKit/Source/core/dom/Node.h
+1 -1
expand_less