From 8c250056b3e12c733f4691c6baf02c5e0056ace9 Mon Sep 17 00:00:00 2001 From: ChangSeok Oh Date: Thu, 16 Apr 2020 17:37:24 +0100 Subject: [PATCH] Fix CVE-2020-10018 Origin: https://trac.webkit.org/changeset/257292/webkit =================================================================== Gbp-Pq: Name cve-2020-10018-fix.patch --- Source/WebCore/accessibility/AXObjectCache.cpp | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/Source/WebCore/accessibility/AXObjectCache.cpp b/Source/WebCore/accessibility/AXObjectCache.cpp index b35fc15643..fd1c2470b6 100644 --- a/Source/WebCore/accessibility/AXObjectCache.cpp +++ b/Source/WebCore/accessibility/AXObjectCache.cpp @@ -758,6 +758,12 @@ void AXObjectCache::remove(Node& node) m_deferredFocusedNodeChange.removeAllMatching([&node](auto& entry) -> bool { return entry.second == &node; }); + // Set nullptr to the old focused node if it is being removed. + std::for_each(m_deferredFocusedNodeChange.begin(), m_deferredFocusedNodeChange.end(), [&node](auto& entry) { + if (entry.first == &node) + entry.first = nullptr; + }); + removeNodeForUse(node); remove(m_nodeObjectMapping.take(&node)); -- 2.30.2