Allow user agent events within SVGImage destructor

See the bug for repro information. It is possible to attempt to send the "ready" event from within an EventDispatchForbiddenScope, while unloading an invalid SVG image. This happens when the SVGImage destructor tries to notify its frame that it will be detached. With this CL, we again allow events to be dispatched under the assumption that this is a separate Page (where script is disabled), and thus any events dispatched from these calls will neither reach the Element/Document/Page which added the restriction nor any script in the "sub-Page" itself. Bug: 1029262 Change-Id: Ibc72f58b102742530fb5ccf1ee47e58b16503a10 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1949228 Commit-Queue: Mason Freed <masonfreed@chromium.org> Reviewed-by: Hiroshige Hayashizaki <hiroshige@chromium.org> Reviewed-by: Kent Tamura <tkent@chromium.org> Reviewed-by: Fredrik Söderquist <fs@opera.com> Cr-Commit-Position: refs/heads/master@{#722540}

Allow user agent events within SVGImage destructor
See the bug for repro information. It is possible to attempt to send the "ready" event from within an EventDispatchForbiddenScope, while unloading an invalid SVG image. This happens when the SVGImage destructor tries to notify its frame that it will be detached. With this CL, we again allow events to be dispatched under the assumption that this is a separate Page (where script is disabled), and thus any events dispatched from these calls will neither reach the Element/Document/Page which added the restriction nor any script in the "sub-Page" itself. Bug: 1029262 Change-Id: Ibc72f58b102742530fb5ccf1ee47e58b16503a10 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1949228 Commit-Queue: Mason Freed <masonfreed@chromium.org> Reviewed-by: Hiroshige Hayashizaki <hiroshige@chromium.org> Reviewed-by: Kent Tamura <tkent@chromium.org> Reviewed-by: Fredrik Söderquist <fs@opera.com> Cr-Commit-Position: refs/heads/master@{#722540}
96a982b2 · Mason Freed · Commit Bot · b2ac2f1d · 96a982b2 · 96a982b2
Commit 96a982b2 authored Dec 06, 2019 by Mason Freed Committed by Commit Bot Dec 06, 2019
2 changed files
--- a/third_party/blink/renderer/core/svg/graphics/svg_image.cc
+++ b/third_party/blink/renderer/core/svg/graphics/svg_image.cc
@@ -107,6 +107,11 @@ SVGImage::~SVGImage() {
    frame_client_->ClearImage();
  if (page_) {
+    // It is safe to allow UA events within this scope, because event
+    // dispatching inside the SVG image's document doesn't trigger JavaScript
+    // execution. All script execution is forbidden when an SVG is loaded as an
+    // image subresource - see SetScriptEnabled in SVGImage::DataChanged().
+    EventDispatchForbiddenScope::AllowUserAgentEvents allow_events;
    // Store m_page in a local variable, clearing m_page, so that
    // SVGImageChromeClient knows we're destructed.
    Page* current_page = page_.Release();

--- a/third_party/blink/web_tests/external/wpt/dom/svg-insert-crash.html
+++ b/third_party/blink/web_tests/external/wpt/dom/svg-insert-crash.html
+<!DOCTYPE html>
+<meta charset="utf-8">
+<link rel="author" title="Mason Freed" href="mailto:masonfreed@chromium.org">
+<link rel="help" href="https://crbug.com/1029262">
+<meta name="assert" content="The renderer should not crash.">
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<svg>
+  <!-- Note that the SVG in the data URL below is intentionally malformed: -->
+ <feImage xlink:href="data:image/svg+xml,<svg xmlns='http://www.w3.org/2000/svg'><rect"/>
+</svg>
+<script>
+async_test(t => {
+  window.onload = t.step_func_done();
+}, 'The renderer should not crash.');
+</script>