Title: [95816] branches/chromium/874
- Revision
- 95816
- Author
- [email protected]
- Date
- 2011-09-23 09:31:33 -0700 (Fri, 23 Sep 2011)
Log Message
Merge 95791 - use after free in WebCore::SVGTRefElement::updateReferencedText
BUG=95359
Review URL: http://codereview.chromium.org/8015009
Modified Paths
Added Paths
Diff
Copied: branches/chromium/874/LayoutTests/svg/custom/tref-clone-crash-expected.txt (from rev 95791, trunk/LayoutTests/svg/custom/tref-clone-crash-expected.txt) (0 => 95816)
--- branches/chromium/874/LayoutTests/svg/custom/tref-clone-crash-expected.txt (rev 0)
+++ branches/chromium/874/LayoutTests/svg/custom/tref-clone-crash-expected.txt 2011-09-23 16:31:33 UTC (rev 95816)
@@ -0,0 +1 @@
+PASS
Copied: branches/chromium/874/LayoutTests/svg/custom/tref-clone-crash.html (from rev 95791, trunk/LayoutTests/svg/custom/tref-clone-crash.html) (0 => 95816)
--- branches/chromium/874/LayoutTests/svg/custom/tref-clone-crash.html (rev 0)
+++ branches/chromium/874/LayoutTests/svg/custom/tref-clone-crash.html 2011-09-23 16:31:33 UTC (rev 95816)
@@ -0,0 +1,33 @@
+<svg xmlns:xlink="http://www.w3.org/1999/xlink" _onload_="runTest()">
+ <defs>
+ <style id="style"/>
+ <text id="ref"></text>
+ </defs>
+ <g><use xlink:href=""
+ <g><text><tref id="tref" xlink:href=""
+ <script>
+ function gc() {
+ if (window.GCController)
+ GCController.collect();
+ else {
+ for (var i = 0; i < 10000; ++i)
+ new Object;
+ }
+ }
+ if (window.layoutTestController) {
+ layoutTestController.dumpAsText();
+ layoutTestController.waitUntilDone();
+ }
+ function runTest() {
+ var tref = document.getElementById("tref");
+ tref.cloneNode(true);
+ gc();
+ var elem = document.getElementById("style");
+ var parent = elem.parentNode;
+ parent.insertBefore(document.createElement("source"), elem);
+ document.body.innerHTML = "PASS";
+ if (window.layoutTestController)
+ layoutTestController.notifyDone();
+ }
+ </script>
+</svg>
Modified: branches/chromium/874/Source/WebCore/svg/SVGTRefElement.cpp (95815 => 95816)
--- branches/chromium/874/Source/WebCore/svg/SVGTRefElement.cpp 2011-09-23 16:26:11 UTC (rev 95815)
+++ branches/chromium/874/Source/WebCore/svg/SVGTRefElement.cpp 2011-09-23 16:31:33 UTC (rev 95816)
@@ -195,9 +195,11 @@
return;
}
updateReferencedText();
- m_eventListener = SubtreeModificationEventListener::create(this, id);
- ASSERT(target->parentNode());
- target->parentNode()->addEventListener(eventNames().DOMSubtreeModifiedEvent, m_eventListener.get(), false);
+ if (inDocument()) {
+ m_eventListener = SubtreeModificationEventListener::create(this, id);
+ ASSERT(target->parentNode());
+ target->parentNode()->addEventListener(eventNames().DOMSubtreeModifiedEvent, m_eventListener.get(), false);
+ }
if (RenderObject* renderer = this->renderer())
RenderSVGResource::markForLayoutAndParentResourceInvalidation(renderer);
return;
@@ -242,6 +244,21 @@
}
}
+void SVGTRefElement::insertedIntoDocument()
+{
+ SVGStyledElement::insertedIntoDocument();
+ String id;
+ Element* target = SVGURIReference::targetElementFromIRIString(href(), document(), &id);
+ if (!target) {
+ document()->accessSVGExtensions()->addPendingResource(id, this);
+ return;
+ }
+ updateReferencedText();
+ m_eventListener = SubtreeModificationEventListener::create(this, id);
+ ASSERT(target->parentNode());
+ target->parentNode()->addEventListener(eventNames().DOMSubtreeModifiedEvent, m_eventListener.get(), false);
+}
+
void SVGTRefElement::removedFromDocument()
{
SVGStyledElement::removedFromDocument();
Modified: branches/chromium/874/Source/WebCore/svg/SVGTRefElement.h (95815 => 95816)
--- branches/chromium/874/Source/WebCore/svg/SVGTRefElement.h 2011-09-23 16:26:11 UTC (rev 95815)
+++ branches/chromium/874/Source/WebCore/svg/SVGTRefElement.h 2011-09-23 16:31:33 UTC (rev 95816)
@@ -47,6 +47,7 @@
virtual bool childShouldCreateRenderer(Node*) const;
virtual bool rendererIsNeeded(const NodeRenderingContext&);
+ virtual void insertedIntoDocument();
virtual void removedFromDocument();
void updateReferencedText();
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes
