Title: [94564] trunk
- Revision
- 94564
- Author
- [email protected]
- Date
- 2011-09-06 05:57:01 -0700 (Tue, 06 Sep 2011)
Log Message
2011-09-06 Rob Buis <[email protected]>
use after free in WebCore::SVGTRefElement::updateReferencedText
https://bugs.webkit.org/show_bug.cgi?id=67555
Reviewed by Nikolas Zimmermann.
Do not install event listener if tref is not part of any document.
Test: svg/custom/tref-clone-crash.html
* svg/SVGTRefElement.cpp:
(WebCore::SVGTRefElement::svgAttributeChanged):
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (94563 => 94564)
--- trunk/LayoutTests/ChangeLog 2011-09-06 12:48:39 UTC (rev 94563)
+++ trunk/LayoutTests/ChangeLog 2011-09-06 12:57:01 UTC (rev 94564)
@@ -1,3 +1,15 @@
+2011-09-06 Rob Buis <[email protected]>
+
+ use after free in WebCore::SVGTRefElement::updateReferencedText
+ https://bugs.webkit.org/show_bug.cgi?id=67555
+
+ Reviewed by Nikolas Zimmermann.
+
+ Test that cloned tref does not cause a crash.
+
+ * svg/custom/tref-clone-crash-expected.txt: Added.
+ * svg/custom/tref-clone-crash.html: Added.
+
2011-09-06 Csaba Osztrogonác <[email protected]>
[Qt][ARM] Missing WebGLContextEvent window property
Added: trunk/LayoutTests/svg/custom/tref-clone-crash-expected.txt (0 => 94564)
--- trunk/LayoutTests/svg/custom/tref-clone-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/svg/custom/tref-clone-crash-expected.txt 2011-09-06 12:57:01 UTC (rev 94564)
@@ -0,0 +1 @@
+PASS
Added: trunk/LayoutTests/svg/custom/tref-clone-crash.html (0 => 94564)
--- trunk/LayoutTests/svg/custom/tref-clone-crash.html (rev 0)
+++ trunk/LayoutTests/svg/custom/tref-clone-crash.html 2011-09-06 12:57:01 UTC (rev 94564)
@@ -0,0 +1,28 @@
+<svg _onload_="runTest()">
+ <defs>
+ <style id="style"/>
+ <text id="ref"></text>
+ </defs>
+ <g><use xlink:href=""
+ <g><text><tref id="tref" xlink:href=""
+ <script>
+ if (window.layoutTestController) {
+ layoutTestController.dumpAsText();
+ layoutTestController.waitUntilDone();
+ }
+ function runTest() {
+ var tref = document.getElementById("tref");
+ tref.cloneNode(true);
+ window.setTimeout("finishTest()", 500);
+ }
+ function finishTest() {
+ var elem = document.getElementById("style");
+ var parent = elem.parentNode;
+ // trigger tref event listeners
+ parent.insertBefore(document.createElement("source"), elem);
+ document.body.innerHTML = "PASS";
+ if (window.layoutTestController)
+ layoutTestController.notifyDone();
+ }
+ </script>
+</svg>
Modified: trunk/Source/WebCore/ChangeLog (94563 => 94564)
--- trunk/Source/WebCore/ChangeLog 2011-09-06 12:48:39 UTC (rev 94563)
+++ trunk/Source/WebCore/ChangeLog 2011-09-06 12:57:01 UTC (rev 94564)
@@ -1,3 +1,17 @@
+2011-09-06 Rob Buis <[email protected]>
+
+ use after free in WebCore::SVGTRefElement::updateReferencedText
+ https://bugs.webkit.org/show_bug.cgi?id=67555
+
+ Reviewed by Nikolas Zimmermann.
+
+ Do not install event listener if tref is not part of any document.
+
+ Test: svg/custom/tref-clone-crash.html
+
+ * svg/SVGTRefElement.cpp:
+ (WebCore::SVGTRefElement::svgAttributeChanged):
+
2011-09-06 Sheriff Bot <[email protected]>
Unreviewed, rolling out r94560.
Modified: trunk/Source/WebCore/svg/SVGTRefElement.cpp (94563 => 94564)
--- trunk/Source/WebCore/svg/SVGTRefElement.cpp 2011-09-06 12:48:39 UTC (rev 94563)
+++ trunk/Source/WebCore/svg/SVGTRefElement.cpp 2011-09-06 12:57:01 UTC (rev 94564)
@@ -182,6 +182,8 @@
SVGElementInstance::InvalidationGuard invalidationGuard(this);
if (SVGURIReference::isKnownAttribute(attrName)) {
+ if (!inDocument())
+ return;
if (m_eventListener) {
m_eventListener->removeFromTarget();
m_eventListener = 0;
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes
