[Pkg-chromium-commit] chromium-browser/chromium-browser.sid: 682 High Use after free in history handling. Credit to Stefan Troger.

Giuseppe Iuculano iuculano at debian.org
Tue Dec 7 08:42:59 UTC 2010 

Branch name: chromium-browser/chromium-browser.sid
Branch location : bzr+ssh://bzr.debian.org/bzr/pkg-chromium/chromium-browser/chromium-browser.sid
Browse location: http://bzr.debian.org/loggerhead/pkg-chromium
Revision No: 682
Revision Id: iuculano at debian.org-20101207084259-sanrjbuftaak2pcy
Committer: Giuseppe Iuculano <iuculano at debian.org>
Message : High Use after free in history handling. Credit to Stefan Troger.


--------------------------------------------------------
  ** Added :
        - debian/patches/59554.patch

  ** Modified :
        - debian/changelog
        - debian/patches/series

-------------- next part --------------
=== modified file 'debian/changelog'
--- a/debian/changelog	2010-12-03 10:01:52 +0000
+++ b/debian/changelog	2010-12-07 08:42:59 +0000
@@ -3,8 +3,9 @@
   * Backported security patches from stable:
     - Medium Cross-origin video theft with <canvas>. Credit to Nirankush
       Panchbhai and Microsoft Vulnerability Research (MSVR).
+    - High Use after free in history handling. Credit to Stefan Troger.
 
- -- Giuseppe Iuculano <iuculano at debian.org>  Fri, 03 Dec 2010 11:00:59 +0100
+ -- Giuseppe Iuculano <iuculano at debian.org>  Mon, 06 Dec 2010 21:58:11 +0100
 
 chromium-browser (6.0.472.63~r59945-2) unstable; urgency=high
 

=== added file 'debian/patches/59554.patch'
--- a/debian/patches/59554.patch	1970-01-01 00:00:00 +0000
+++ b/debian/patches/59554.patch	2010-12-07 08:42:59 +0000
@@ -0,0 +1,25 @@
+--- a/src/third_party/WebKit/WebCore/loader/RedirectScheduler.cpp
++++ b/src/third_party/WebKit/WebCore/loader/RedirectScheduler.cpp
+@@ -323,8 +323,8 @@ void RedirectScheduler::scheduleHistoryN
+ 
+     // Invalid history navigations (such as history.forward() during a new load) have the side effect of cancelling any scheduled
+     // redirects. We also avoid the possibility of cancelling the current load by avoiding the scheduled redirection altogether.
+-    HistoryItem* specifiedEntry = m_frame->page()->backForwardList()->itemAtIndex(steps);
+-    if (!specifiedEntry) {
++    BackForwardList* backForwardList = m_frame->page()->backForwardList();
++    if (steps > backForwardList->forwardListCount() || -steps > backForwardList->backListCount()) {
+         cancel();
+         return;
+     }
+--- a/src/third_party/WebKit/WebCore/page/Page.cpp
++++ b/src/third_party/WebKit/WebCore/page/Page.cpp
+@@ -313,6 +313,9 @@ void Page::goBackOrForward(int distance)
+ 
+ void Page::goToItem(HistoryItem* item, FrameLoadType type)
+ {
++    // stopAllLoaders may end up running onload handlers, which could cause further history traversals that may lead to the passed in HistoryItem
++    // being deref()-ed. Make sure we can still use it with HistoryController::goToItem later.
++    RefPtr<HistoryItem> protector(item);
+     // Abort any current load unless we're navigating the current document to a new state object
+     HistoryItem* currentItem = m_mainFrame->loader()->history()->currentItem();
+     if (!item->stateObject() || !currentItem || item->documentSequenceNumber() != currentItem->documentSequenceNumber() || item == currentItem) {

=== modified file 'debian/patches/series'
--- a/debian/patches/series	2010-12-03 10:01:52 +0000
+++ b/debian/patches/series	2010-12-07 08:42:59 +0000
@@ -32,3 +32,4 @@
 60769.patch
 60688.patch
 55745.patch
+59554.patch

More information about the Pkg-chromium-commit mailing list