[Pkg-chromium-commit] chromium-browser/chromium-browser.sid: 682 High Use after free in history handling. Credit to Stefan Troger.
Giuseppe Iuculano
iuculano at debian.org
Tue Dec 7 08:42:59 UTC 2010
Branch name: chromium-browser/chromium-browser.sid
Branch location : bzr+ssh://bzr.debian.org/bzr/pkg-chromium/chromium-browser/chromium-browser.sid
Browse location: http://bzr.debian.org/loggerhead/pkg-chromium
Revision No: 682
Revision Id: iuculano at debian.org-20101207084259-sanrjbuftaak2pcy
Committer: Giuseppe Iuculano <iuculano at debian.org>
Message : High Use after free in history handling. Credit to Stefan Troger.
--------------------------------------------------------
** Added :
- debian/patches/59554.patch
** Modified :
- debian/changelog
- debian/patches/series
-------------- next part --------------
=== modified file 'debian/changelog'
--- a/debian/changelog 2010-12-03 10:01:52 +0000
+++ b/debian/changelog 2010-12-07 08:42:59 +0000
@@ -3,8 +3,9 @@
* Backported security patches from stable:
- Medium Cross-origin video theft with <canvas>. Credit to Nirankush
Panchbhai and Microsoft Vulnerability Research (MSVR).
+ - High Use after free in history handling. Credit to Stefan Troger.
- -- Giuseppe Iuculano <iuculano at debian.org> Fri, 03 Dec 2010 11:00:59 +0100
+ -- Giuseppe Iuculano <iuculano at debian.org> Mon, 06 Dec 2010 21:58:11 +0100
chromium-browser (6.0.472.63~r59945-2) unstable; urgency=high
=== added file 'debian/patches/59554.patch'
--- a/debian/patches/59554.patch 1970-01-01 00:00:00 +0000
+++ b/debian/patches/59554.patch 2010-12-07 08:42:59 +0000
@@ -0,0 +1,25 @@
+--- a/src/third_party/WebKit/WebCore/loader/RedirectScheduler.cpp
++++ b/src/third_party/WebKit/WebCore/loader/RedirectScheduler.cpp
+@@ -323,8 +323,8 @@ void RedirectScheduler::scheduleHistoryN
+
+ // Invalid history navigations (such as history.forward() during a new load) have the side effect of cancelling any scheduled
+ // redirects. We also avoid the possibility of cancelling the current load by avoiding the scheduled redirection altogether.
+- HistoryItem* specifiedEntry = m_frame->page()->backForwardList()->itemAtIndex(steps);
+- if (!specifiedEntry) {
++ BackForwardList* backForwardList = m_frame->page()->backForwardList();
++ if (steps > backForwardList->forwardListCount() || -steps > backForwardList->backListCount()) {
+ cancel();
+ return;
+ }
+--- a/src/third_party/WebKit/WebCore/page/Page.cpp
++++ b/src/third_party/WebKit/WebCore/page/Page.cpp
+@@ -313,6 +313,9 @@ void Page::goBackOrForward(int distance)
+
+ void Page::goToItem(HistoryItem* item, FrameLoadType type)
+ {
++ // stopAllLoaders may end up running onload handlers, which could cause further history traversals that may lead to the passed in HistoryItem
++ // being deref()-ed. Make sure we can still use it with HistoryController::goToItem later.
++ RefPtr<HistoryItem> protector(item);
+ // Abort any current load unless we're navigating the current document to a new state object
+ HistoryItem* currentItem = m_mainFrame->loader()->history()->currentItem();
+ if (!item->stateObject() || !currentItem || item->documentSequenceNumber() != currentItem->documentSequenceNumber() || item == currentItem) {
=== modified file 'debian/patches/series'
--- a/debian/patches/series 2010-12-03 10:01:52 +0000
+++ b/debian/patches/series 2010-12-07 08:42:59 +0000
@@ -32,3 +32,4 @@
60769.patch
60688.patch
55745.patch
+59554.patch
More information about the Pkg-chromium-commit
mailing list