RESOLVED FIXED113377
[Chromium] REGRESSION(r88030): Right-click on invalid form controls unexpectedly dispatches 'invalid' events 
https://bugs.webkit.org/show_bug.cgi?id=113377
Summary [Chromium] REGRESSION(r88030): Right-click on invalid form controls unexpecte...
Kent Tamura
Reported 2013-03-27 02:06:22 PDT
https://code.google.com/p/chromium/issues/detail?id=126386 (Note: this report doesn't mention possibility of crashes.) http://trac.webkit.org/changeset/88030 In the preparation code of context menu, HTMLFormElement* form = selectedFrame->selection()->currentForm(); if (form && form->checkValidity() && r.innerNonSharedNode()->hasTagName(HTMLNames::inputTag)) { HTMLInputElement* selectedElement = static_cast<HTMLInputElement*>(r.innerNonSharedNode()); if (selectedElement) { WebSearchableFormData ws = WebSearchableFormData(WebFormElement(form), WebInputElement(selectedElement)); form->checkValidity() can dispatch 'invalid' events, and the 'form' object can be removed in event handlers.
Attachments
Patch (1.78 KB, patch)
2013-03-27 02:46 PDT, Kent Tamura 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Kent Tamura
Comment 1 2013-03-27 02:46:52 PDT
Created attachment 195252 [details] Patch
Kent Tamura
Comment 2 2013-03-27 02:48:43 PDT
Comment on attachment 195252 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=195252&action=review > Source/WebKit/chromium/src/ContextMenuClientImpl.cpp:341 > - if (form && form->checkValidity() && r.innerNonSharedNode()->hasTagName(HTMLNames::inputTag)) { > + if (form && r.innerNonSharedNode()->hasTagName(HTMLNames::inputTag)) { I think we have no reason to call checkValidity here, and functions dispatching events should not be called during context menu preparation.
Kent Tamura
Comment 3 2013-03-27 21:40:42 PDT
Ah, I found this didn't cause use-after-free. If form->checkValidity() dispatches 'invalid' events, it returns false. So 'form' won't be accessed in such case. If form->checkValidity() returns true, it won't dispatch events and accessing 'form' is safe.
WebKit Review Bot
Comment 4 2013-03-28 14:45:10 PDT
Comment on attachment 195252 [details] Patch Clearing flags on attachment: 195252 Committed r147161: <http://trac.webkit.org/changeset/147161>
WebKit Review Bot
Comment 5 2013-03-28 14:45:13 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.