Package: webkit2gtk / 2.26.4-1~bpo9+3

cve-2020-10018-fix.patch Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
From: ChangSeok Oh <changseok@webkit.org>
Subject: Fix CVE-2020-10018
Origin: https://trac.webkit.org/changeset/257292/webkit
Index: webkitgtk/Source/WebCore/accessibility/AXObjectCache.cpp
===================================================================
--- webkitgtk.orig/Source/WebCore/accessibility/AXObjectCache.cpp
+++ webkitgtk/Source/WebCore/accessibility/AXObjectCache.cpp
@@ -758,6 +758,12 @@ void AXObjectCache::remove(Node& node)
     m_deferredFocusedNodeChange.removeAllMatching([&node](auto& entry) -> bool {
         return entry.second == &node;
     });
+    // Set nullptr to the old focused node if it is being removed.
+    std::for_each(m_deferredFocusedNodeChange.begin(), m_deferredFocusedNodeChange.end(), [&node](auto& entry) {
+        if (entry.first == &node)
+            entry.first = nullptr;
+    });
+
     removeNodeForUse(node);
 
     remove(m_nodeObjectMapping.take(&node));