From: ChangSeok Oh <changseok@webkit.org>
Date: Mon, 16 Mar 2020 14:25:01 +0000 (+0000)
Subject: Fix CVE-2020-10018
X-Git-Tag: archive/raspbian/2.26.4-1_deb10u2+rpi1^2~1
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=b7950a2507d827e71dcb69ab9ce124961700138a;p=webkit2gtk.git

Fix CVE-2020-10018

Origin: https://trac.webkit.org/changeset/257292/webkit

===================================================================

Gbp-Pq: Name cve-2020-10018-fix.patch
---

diff --git a/Source/WebCore/accessibility/AXObjectCache.cpp b/Source/WebCore/accessibility/AXObjectCache.cpp
index b35fc15643..fd1c2470b6 100644
--- a/Source/WebCore/accessibility/AXObjectCache.cpp
+++ b/Source/WebCore/accessibility/AXObjectCache.cpp
@@ -758,6 +758,12 @@ void AXObjectCache::remove(Node& node)
     m_deferredFocusedNodeChange.removeAllMatching([&node](auto& entry) -> bool {
         return entry.second == &node;
     });
+    // Set nullptr to the old focused node if it is being removed.
+    std::for_each(m_deferredFocusedNodeChange.begin(), m_deferredFocusedNodeChange.end(), [&node](auto& entry) {
+        if (entry.first == &node)
+            entry.first = nullptr;
+    });
+
     removeNodeForUse(node);
 
     remove(m_nodeObjectMapping.take(&node));