Skip to site navigation (Press enter)

[webkit-changes] [96034] branches/chromium/835

cdn Mon, 26 Sep 2011 16:30:12 -0700

Title: [96034] branches/chromium/835

Revision: 96034
Author: c...@chromium.org
Date: 2011-09-26 16:31:04 -0700 (Mon, 26 Sep 2011)

Log Message

Merge 95791 - use after free in WebCore::SVGTRefElement::updateReferencedText


BUG=95359
Review URL: http://codereview.chromium.org/8046025

Modified Paths

branches/chromium/835/Source/WebCore/svg/SVGTRefElement.cpp
branches/chromium/835/Source/WebCore/svg/SVGTRefElement.h

Added Paths

branches/chromium/835/LayoutTests/svg/custom/tref-clone-crash-expected.txt
branches/chromium/835/LayoutTests/svg/custom/tref-clone-crash.html

Diff

Copied: branches/chromium/835/LayoutTests/svg/custom/tref-clone-crash-expected.txt (from rev 95791, trunk/LayoutTests/svg/custom/tref-clone-crash-expected.txt) (0 => 96034)


--- branches/chromium/835/LayoutTests/svg/custom/tref-clone-crash-expected.txt	                        (rev 0)
+++ branches/chromium/835/LayoutTests/svg/custom/tref-clone-crash-expected.txt	2011-09-26 23:31:04 UTC (rev 96034)
@@ -0,0 +1 @@
+PASS

Copied: branches/chromium/835/LayoutTests/svg/custom/tref-clone-crash.html (from rev 95791, trunk/LayoutTests/svg/custom/tref-clone-crash.html) (0 => 96034)


--- branches/chromium/835/LayoutTests/svg/custom/tref-clone-crash.html	                        (rev 0)
+++ branches/chromium/835/LayoutTests/svg/custom/tref-clone-crash.html	2011-09-26 23:31:04 UTC (rev 96034)
@@ -0,0 +1,33 @@
+<svg xmlns:xlink="http://www.w3.org/1999/xlink" _onload_="runTest()">
+  <defs>
+    <style id="style"/>
+    <text id="ref"></text>
+  </defs>
+  <g><use xlink:href=""
+  <g><text><tref id="tref" xlink:href=""
+  <script>
+    function gc() {
+      if (window.GCController)
+        GCController.collect();
+      else {
+        for (var i = 0; i < 10000; ++i)
+          new Object;
+      }
+    }
+    if (window.layoutTestController) {
+      layoutTestController.dumpAsText();
+      layoutTestController.waitUntilDone();
+    }
+    function runTest() {
+      var tref = document.getElementById("tref");
+      tref.cloneNode(true);
+      gc();
+      var elem = document.getElementById("style");
+      var parent = elem.parentNode;
+      parent.insertBefore(document.createElement("source"), elem);
+      document.body.innerHTML = "PASS";
+      if (window.layoutTestController)
+        layoutTestController.notifyDone();
+    }
+  </script>
+</svg>

Modified: branches/chromium/835/Source/WebCore/svg/SVGTRefElement.cpp (96033 => 96034)


--- branches/chromium/835/Source/WebCore/svg/SVGTRefElement.cpp	2011-09-26 23:29:34 UTC (rev 96033)
+++ branches/chromium/835/Source/WebCore/svg/SVGTRefElement.cpp	2011-09-26 23:31:04 UTC (rev 96034)
@@ -193,9 +193,11 @@
             return;
         }
         updateReferencedText();
-        m_eventListener = SubtreeModificationEventListener::create(this, id);
-        ASSERT(target->parentNode());
-        target->parentNode()->addEventListener(eventNames().DOMSubtreeModifiedEvent, m_eventListener.get(), false);
+        if (inDocument()) {
+            m_eventListener = SubtreeModificationEventListener::create(this, id);
+            ASSERT(target->parentNode());
+            target->parentNode()->addEventListener(eventNames().DOMSubtreeModifiedEvent, m_eventListener.get(), false);
+        }
         if (RenderObject* renderer = this->renderer())
             RenderSVGResource::markForLayoutAndParentResourceInvalidation(renderer);
         return;
@@ -241,6 +243,21 @@
     }
 }
 
+void SVGTRefElement::insertedIntoDocument()
+{
+    SVGStyledElement::insertedIntoDocument();
+    String id;
+    Element* target = SVGURIReference::targetElementFromIRIString(href(), document(), &id);
+    if (!target) {
+        document()->accessSVGExtensions()->addPendingResource(id, this);
+        return;
+    }
+    updateReferencedText();
+    m_eventListener = SubtreeModificationEventListener::create(this, id);
+    ASSERT(target->parentNode());
+    target->parentNode()->addEventListener(eventNames().DOMSubtreeModifiedEvent, m_eventListener.get(), false);
+}
+
 void SVGTRefElement::removedFromDocument()
 {
     SVGStyledElement::removedFromDocument();

Modified: branches/chromium/835/Source/WebCore/svg/SVGTRefElement.h (96033 => 96034)


--- branches/chromium/835/Source/WebCore/svg/SVGTRefElement.h	2011-09-26 23:29:34 UTC (rev 96033)
+++ branches/chromium/835/Source/WebCore/svg/SVGTRefElement.h	2011-09-26 23:31:04 UTC (rev 96034)
@@ -47,6 +47,7 @@
     virtual bool childShouldCreateRenderer(Node*) const;
     virtual bool rendererIsNeeded(const NodeRenderingContext&);
 
+    virtual void insertedIntoDocument();
     virtual void removedFromDocument();
 
     void updateReferencedText();

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes