Merge r174922 - Ensure attached frame count doesn't exceed the maximu…

…m allowed frames https://bugs.webkit.org/show_bug.cgi?id=136457 Reviewed by Alexey Proskuryakov. Source/WebCore: Test: fast/frames/exponential-frames.html * html/HTMLFrameElementBase.cpp: (WebCore::HTMLFrameElementBase::isURLAllowed): LayoutTests: * fast/frames/exponential-frames-expected.txt: Added. * fast/frames/exponential-frames.html: Added. Canonical link: https://commits.webkit.org/154760.145@webkitgtk/2.6 git-svn-id: https://svn.webkit.org/repository/webkit/releases/WebKitGTK/webkit-2.6@175897 268f45cc-cd09-0410-ab3c-d52691b4dbfc
WebKit · Nov 11, 2014 · 9990be4 · 9990be4
1 parent 8d89e8c
commit 9990be4
Show file tree

Hide file tree

Showing 5 changed files with 51 additions and 0 deletions.
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
@@ -1,3 +1,13 @@
+2014-10-17  Jeffrey Pfau  <jpfau@apple.com>
+
+        Ensure attached frame count doesn't exceed the maximum allowed frames
+        https://bugs.webkit.org/show_bug.cgi?id=136457
+
+        Reviewed by Alexey Proskuryakov.
+
+        * fast/frames/exponential-frames-expected.txt: Added.
+        * fast/frames/exponential-frames.html: Added.
+
 2014-10-20  Youenn Fablet  <youenn.fablet@crf.canon.fr>
 
         Tighten XMLHttpRequest setRequestHeader value check

diff --git a/LayoutTests/fast/frames/exponential-frames-expected.txt b/LayoutTests/fast/frames/exponential-frames-expected.txt
@@ -0,0 +1 @@
+This test passes if it does not crash.
diff --git a/LayoutTests/fast/frames/exponential-frames.html b/LayoutTests/fast/frames/exponential-frames.html
@@ -0,0 +1,25 @@
+<html>
+<head>
+<script>
+if (window.testRunner)
+    testRunner.dumpAsText();
+</script>
+<body>
+This test passes if it does not crash.
+<script>
+var elem = document.body;
+var frame = document.createElement("iframe");
+frame.setAttribute("id", "frame");
+document.body.appendChild(frame);
+var div = document.createElement("div");
+div.setAttribute("id", "div");
+frame.appendChild(div);
+for (var i = 0; i < 10; i++) {
+    var div = document.getElementById("div");
+    var clone = elem.parentElement.cloneNode(true);
+    div.appendChild(clone);
+}
+frame.parentElement.removeChild(frame);
+</script>
+</body>
+</html>
diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog
@@ -1,3 +1,15 @@
+2014-10-17  Jeffrey Pfau  <jpfau@apple.com>
+
+        Ensure attached frame count doesn't exceed the maximum allowed frames
+        https://bugs.webkit.org/show_bug.cgi?id=136457
+
+        Reviewed by Alexey Proskuryakov.
+
+        Test: fast/frames/exponential-frames.html
+
+        * html/HTMLFrameElementBase.cpp:
+        (WebCore::HTMLFrameElementBase::isURLAllowed):
+
 2014-10-20  Youenn Fablet  <youenn.fablet@crf.canon.fr>
 
         Tighten XMLHttpRequest setRequestHeader value check

diff --git a/Source/WebCore/html/HTMLFrameElementBase.cpp b/Source/WebCore/html/HTMLFrameElementBase.cpp
@@ -55,6 +55,9 @@ HTMLFrameElementBase::HTMLFrameElementBase(const QualifiedName& tagName, Documen
 
 bool HTMLFrameElementBase::isURLAllowed() const
 {
+    if (document().page() && document().page()->subframeCount() >= Page::maxNumberOfFrames)
+        return false;
+
     if (m_URL.isEmpty())
         return true;