Title: [121160] trunk/Source/WebKit/chromium
- Revision
- 121160
- Author
- [email protected]
- Date
- 2012-06-25 09:30:49 -0700 (Mon, 25 Jun 2012)
Log Message
Heap-use-after-free in WebKit::MainThreadFileSystemCallbacks
https://bugs.webkit.org/show_bug.cgi?id=87019
Reviewed by David Levin.
Should not access the CallbacksBridge's member field after it's freed.
* src/WorkerFileSystemCallbacksBridge.cpp:
(WebKit::WorkerFileSystemCallbacksBridge::cleanUpAfterCallback):
Modified Paths
Diff
Modified: trunk/Source/WebKit/chromium/ChangeLog (121159 => 121160)
--- trunk/Source/WebKit/chromium/ChangeLog 2012-06-25 15:40:43 UTC (rev 121159)
+++ trunk/Source/WebKit/chromium/ChangeLog 2012-06-25 16:30:49 UTC (rev 121160)
@@ -1,3 +1,15 @@
+2012-06-25 Kinuko Yasuda <[email protected]>
+
+ Heap-use-after-free in WebKit::MainThreadFileSystemCallbacks
+ https://bugs.webkit.org/show_bug.cgi?id=87019
+
+ Reviewed by David Levin.
+
+ Should not access the CallbacksBridge's member field after it's freed.
+
+ * src/WorkerFileSystemCallbacksBridge.cpp:
+ (WebKit::WorkerFileSystemCallbacksBridge::cleanUpAfterCallback):
+
2012-06-24 Luke Macpherson <[email protected]>
Add runtime flag to enable/disable CSS variables (in addition to existing compile-time flag).
Modified: trunk/Source/WebKit/chromium/src/WorkerFileSystemCallbacksBridge.cpp (121159 => 121160)
--- trunk/Source/WebKit/chromium/src/WorkerFileSystemCallbacksBridge.cpp 2012-06-25 15:40:43 UTC (rev 121159)
+++ trunk/Source/WebKit/chromium/src/WorkerFileSystemCallbacksBridge.cpp 2012-06-25 16:30:49 UTC (rev 121160)
@@ -187,8 +187,10 @@
m_callbacksOnWorkerThread = 0;
if (m_workerContextObserver) {
- delete m_workerContextObserver;
+ WorkerFileSystemContextObserver* observer = m_workerContextObserver;
m_workerContextObserver = 0;
+ // The next line may delete this.
+ delete observer;
}
}
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes
