Commit 15a81fcd authored by abarth@webkit.org's avatar abarth@webkit.org

2009-06-13 Victor Wang <victorw@chromium.org>

        Reviewed by Eric Seidel.  Landed by Adam Barth.

        https://bugs.webkit.org/show_bug.cgi?id=26333
        Alert during a dragenter event handler will crash the renderer
        
        This crash is casued by calling NULL pointer m_documentUnderMouse in
        DragController::tryDocumentDrag()

        tryDHTMLDrag fires dragenter event. The event listener that listens
        to this event may create a nested message loop (open a modal dialog),
        which could process dragleave event and reset m_documentUnderMouse in
        dragExited.

        Fix the crash by checking m_documentUnderMouse after tryDHTMLDrag and
        do not continue if the pointer has been set to NULL.

        Test: DRT does not show alerts so add a manual test:
              manual-tests/drag-enter-alert.html

        * manual-tests/drag-enter-alert.html: Added.
        * manual-tests/resources/drag-image.png: Added.
        * page/DragController.cpp:
        (WebCore::DragController::tryDocumentDrag):



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@44659 268f45cc-cd09-0410-ab3c-d52691b4dbfc
parent 82eca6c2
2009-06-13 Victor Wang <victorw@chromium.org>
Reviewed by Eric Seidel. Landed by Adam Barth.
https://bugs.webkit.org/show_bug.cgi?id=26333
Alert during a dragenter event handler will crash the renderer
This crash is casued by calling NULL pointer m_documentUnderMouse in
DragController::tryDocumentDrag()
tryDHTMLDrag fires dragenter event. The event listener that listens
to this event may create a nested message loop (open a modal dialog),
which could process dragleave event and reset m_documentUnderMouse in
dragExited.
Fix the crash by checking m_documentUnderMouse after tryDHTMLDrag and
do not continue if the pointer has been set to NULL.
Test: DRT does not show alerts so add a manual test:
manual-tests/drag-enter-alert.html
* manual-tests/drag-enter-alert.html: Added.
* manual-tests/resources/drag-image.png: Added.
* page/DragController.cpp:
(WebCore::DragController::tryDocumentDrag):
2009-06-13 Nate Chapin <japhet@google.com>
Reviewed by Dimitri Glazkov. Landed by Adam Barth.
<html>
<head>
<script type="text/javascript">
function test() {
if (window.layoutTestController)
layoutTestController.dumpAsText();
var element = document.documentElement;
var showAlert = function() {
alert('Click OK button.');
};
if (element.addEventListener)
element.addEventListener('dragenter', showAlert, false);
else
element.attachEvent('ondragenter', showAlert);
}
</script>
</head>
<body onload="test()">
<p>Do the following and see if Webkit crashes.</p>
<ul>
<li>Drag the image</li>
<li>Click the OK button on the alert box</li>
</ul>
<img id="dragimage" src="resources/drag-image.png" width="32px" height="32px">
</body>
</html>
......@@ -264,8 +264,16 @@ DragOperation DragController::tryDocumentDrag(DragData* dragData, DragDestinatio
return DragOperationNone;
DragOperation operation = DragOperationNone;
if (actionMask & DragDestinationActionDHTML)
if (actionMask & DragDestinationActionDHTML) {
operation = tryDHTMLDrag(dragData);
// Do not continue if m_documentUnderMouse has been reset by tryDHTMLDrag.
// tryDHTMLDrag fires dragenter event. The event listener that listens
// to this event may create a nested message loop (open a modal dialog),
// which could process dragleave event and reset m_documentUnderMouse in
// dragExited.
if (!m_documentUnderMouse)
return DragOperationNone;
}
m_isHandlingDrag = operation != DragOperationNone;
RefPtr<FrameView> frameView = m_documentUnderMouse->view();
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment