Cherry-pick WebKit change 60984 to fix an exploitable crash when focus is changed Bug: 2895569 Change-Id: I76f48ca7d6ddee996127254c5f1f00e355318527

commit: 2b6ea0299b0340ff815b7beab6e7491ff5e4d6c0 [log] [tgz]
author: Steve Block <steveblock@google.com> Thu Aug 05 12:10:12 2010 +0100
committer: Steve Block <steveblock@google.com> Thu Aug 05 12:10:12 2010 +0100
tree: 3d9e2aa77f81a9a5cfcb48e2f1d4523a50df7a07
parent: 9d4701f9dc3d6fec15813f6ff9da0ae2611aa4be [diff]
diff --git a/WebCore/dom/Element.cpp b/WebCore/dom/Element.cpp
index 0a1bc75..e12d326 100644
--- a/WebCore/dom/Element.cpp
+++ b/WebCore/dom/Element.cpp

@@ -1259,8 +1259,12 @@
             return;
     }
 
-    if (Page* page = doc->page())
+    RefPtr<Node> protect;
+    if (Page* page = doc->page()) {
+        // Focus and change event handlers can cause us to lose our last ref.
+        protect = this;
         page->focusController()->setFocusedNode(this, doc->frame());
+    }
 
     // Setting the focused node above might have invalidated the layout due to scripts.
     doc->updateLayoutIgnorePendingStylesheets();
commit	2b6ea0299b0340ff815b7beab6e7491ff5e4d6c0	[log] [tgz]
author	Steve Block <steveblock@google.com>	Thu Aug 05 12:10:12 2010 +0100
committer	Steve Block <steveblock@google.com>	Thu Aug 05 12:10:12 2010 +0100
tree	3d9e2aa77f81a9a5cfcb48e2f1d4523a50df7a07
parent	9d4701f9dc3d6fec15813f6ff9da0ae2611aa4be [diff]