qt-bugs@ issue : none yet
Trolltech task ID : none yet
bugs.kde.org number : none
applied: no
author: Apple

this fixes CVE-2008-3632:

Use-after-free vulnerability in WebKit in Apple iPod touch 1.1 through 2.0.2,
and iPhone 1.0 through 2.0.2, allows remote attackers to execute arbitrary code
or cause a denial of service (application crash) via a web page with crafted
Cascading Style Sheets (CSS) import statements.


--- src/3rdparty/webkit/WebCore/dom/Document.cpp
+++ src/3rdparty/webkit/WebCore/dom/Document.cpp
@@ -291,9 +291,8 @@
     m_renderArena = 0;
 
     m_axObjectCache = 0;
-    
-    // FIXME: DocLoader probably no longer needs the frame argument
-    m_docLoader = new DocLoader(frame, this);
+
+    m_docLoader = new DocLoader(this);
 
     visuallyOrdered = false;
     m_bParsing = false;
@@ -1169,15 +1168,23 @@
     if (render)
         render->destroy();
 
-    // FIXME: is this needed or desirable?
-    m_frame = 0;
-    
+    // This is required, as our Frame might delete itself as soon as it detaches
+    // us.  However, this violates Node::detach() symantics, as it's never
+    // possible to re-attach.  Eventually Document::detach() should be renamed
+    // or this call made explicit in each of the callers of Document::detach().
+    clearFramePointer();
+
     if (m_renderArena) {
         delete m_renderArena;
         m_renderArena = 0;
     }
 }
 
+void Document::clearFramePointer()
+{
+    m_frame = 0;
+}
+
 void Document::removeAllEventListenersFromAllNodes()
 {
     m_windowEventListeners.clear();
--- src/3rdparty/webkit/WebCore/dom/Document.h
+++ src/3rdparty/webkit/WebCore/dom/Document.h
@@ -344,6 +344,8 @@
     virtual void attach();
     virtual void detach();
 
+    void clearFramePointer();
+
     RenderArena* renderArena() { return m_renderArena; }
 
     AXObjectCache* axObjectCache() const;
--- src/3rdparty/webkit/WebCore/loader/DocLoader.cpp
+++ src/3rdparty/webkit/WebCore/loader/DocLoader.cpp
@@ -40,10 +40,9 @@
 
 namespace WebCore {
 
-DocLoader::DocLoader(Frame *frame, Document* doc)
+DocLoader::DocLoader(Document* doc)
     : m_cache(cache())
     , m_cachePolicy(CachePolicyVerify)
-    , m_frame(frame)
     , m_doc(doc)
     , m_requestCount(0)
     , m_autoLoadImages(true)
@@ -53,6 +52,11 @@
     m_cache->addDocLoader(this);
 }
 
+Frame* DocLoader::frame() const
+{
+    return m_doc->frame();
+}
+
 DocLoader::~DocLoader()
 {
     HashMap<String, CachedResource*>::iterator end = m_docResources.end();
@@ -146,7 +150,7 @@
         }
     }
                                                           
-    if (m_frame && m_frame->loader()->isReloading())
+    if (frame() && frame()->loader()->isReloading())
         setCachePolicy(CachePolicyReload);
 
     checkForReload(fullURL);
@@ -197,8 +201,8 @@
 void DocLoader::setLoadInProgress(bool load)
 {
     m_loadInProgress = load;
-    if (!load && m_frame)
-        m_frame->loader()->loadDone();
+    if (!load && frame())
+        frame()->loader()->loadDone();
 }
 
 void DocLoader::checkCacheObjectStatus(CachedResource* resource)
@@ -217,7 +221,7 @@
     }
     
     // Notify the caller that we "loaded".
-    if (!m_frame || m_frame->loader()->haveToldBridgeAboutLoad(resource->url()))
+    if (!frame() || frame()->loader()->haveToldBridgeAboutLoad(resource->url()))
         return;
     
     ResourceRequest request(resource->url());
@@ -226,9 +230,9 @@
     
     if (resource->sendResourceLoadCallbacks()) {
         // FIXME: If the WebKit client changes or cancels the request, WebCore does not respect this and continues the load.
-        m_frame->loader()->loadedResourceFromMemoryCache(request, response, data ? data->size() : 0);
+        frame()->loader()->loadedResourceFromMemoryCache(request, response, data ? data->size() : 0);
     }
-    m_frame->loader()->didTellBridgeAboutLoad(resource->url());
+    frame()->loader()->didTellBridgeAboutLoad(resource->url());
 }
 
 void DocLoader::incrementRequestCount()
--- src/3rdparty/webkit/WebCore/loader/DocLoader.h
+++ src/3rdparty/webkit/WebCore/loader/DocLoader.h
@@ -49,7 +49,7 @@
 friend class HTMLImageLoader;
 
 public:
-    DocLoader(Frame*, Document*);
+    DocLoader(Document*);
     ~DocLoader();
 
     CachedImage* requestImage(const String& url);
@@ -73,7 +73,7 @@
     CachePolicy cachePolicy() const { return m_cachePolicy; }
     void setCachePolicy(CachePolicy);
     
-    Frame* frame() const { return m_frame; }
+    Frame* frame() const; // Can be NULL
     Document* doc() const { return m_doc; }
 
     void removeCachedResource(CachedResource*) const;
@@ -100,7 +100,6 @@
     HashSet<String> m_reloadedURLs;
     mutable HashMap<String, CachedResource*> m_docResources;
     CachePolicy m_cachePolicy;
-    Frame* m_frame;
     Document *m_doc;
     
     int m_requestCount;