Title: [119338] releases/WebKitGTK/webkit-1.8
- Revision
- 119338
- Author
- [email protected]
- Date
- 2012-06-02 13:32:02 -0700 (Sat, 02 Jun 2012)
Log Message
Merge 115763 - Ensure HTMLElementStack fails gracefully if it has a non-Element.
https://bugs.webkit.org/show_bug.cgi?id=85167
Reviewed by Adam Barth.
Source/WebCore:
Test: Added to html5lib/resources/webkit02.dat
* html/parser/HTMLElementStack.cpp:
(WebCore::HTMLElementStack::oneBelowTop):
* html/parser/HTMLTreeBuilder.cpp:
(WebCore::HTMLTreeBuilder::processEndTag):
LayoutTests:
* html5lib/resources/webkit02.dat:
Modified Paths
Diff
Modified: releases/WebKitGTK/webkit-1.8/LayoutTests/ChangeLog (119337 => 119338)
--- releases/WebKitGTK/webkit-1.8/LayoutTests/ChangeLog 2012-06-02 20:31:42 UTC (rev 119337)
+++ releases/WebKitGTK/webkit-1.8/LayoutTests/ChangeLog 2012-06-02 20:32:02 UTC (rev 119338)
@@ -1,3 +1,12 @@
+2012-05-01 James Simonsen <[email protected]>
+
+ Ensure HTMLElementStack fails gracefully if it has a non-Element.
+ https://bugs.webkit.org/show_bug.cgi?id=85167
+
+ Reviewed by Adam Barth.
+
+ * html5lib/resources/webkit02.dat:
+
2012-02-20 Adam Barth <[email protected]>
Invalid cast in WebCore::toElement / WebCore::HTMLElementStack::ElementRecord::element
Modified: releases/WebKitGTK/webkit-1.8/LayoutTests/html5lib/resources/webkit02.dat (119337 => 119338)
--- releases/WebKitGTK/webkit-1.8/LayoutTests/html5lib/resources/webkit02.dat 2012-06-02 20:31:42 UTC (rev 119337)
+++ releases/WebKitGTK/webkit-1.8/LayoutTests/html5lib/resources/webkit02.dat 2012-06-02 20:32:02 UTC (rev 119338)
@@ -149,3 +149,11 @@
| <input>
| name="isindex"
| <hr>
+
+#data
+<option><XH<optgroup></optgroup>
+#errors
+#document-fragment
+select
+#document
+| <option>
Modified: releases/WebKitGTK/webkit-1.8/Source/WebCore/ChangeLog (119337 => 119338)
--- releases/WebKitGTK/webkit-1.8/Source/WebCore/ChangeLog 2012-06-02 20:31:42 UTC (rev 119337)
+++ releases/WebKitGTK/webkit-1.8/Source/WebCore/ChangeLog 2012-06-02 20:32:02 UTC (rev 119338)
@@ -1,3 +1,17 @@
+2012-05-01 James Simonsen <[email protected]>
+
+ Ensure HTMLElementStack fails gracefully if it has a non-Element.
+ https://bugs.webkit.org/show_bug.cgi?id=85167
+
+ Reviewed by Adam Barth.
+
+ Test: Added to html5lib/resources/webkit02.dat
+
+ * html/parser/HTMLElementStack.cpp:
+ (WebCore::HTMLElementStack::oneBelowTop):
+ * html/parser/HTMLTreeBuilder.cpp:
+ (WebCore::HTMLTreeBuilder::processEndTag):
+
2012-02-20 Adam Barth <[email protected]>
Invalid cast in WebCore::toElement / WebCore::HTMLElementStack::ElementRecord::element
Modified: releases/WebKitGTK/webkit-1.8/Source/WebCore/html/parser/HTMLElementStack.cpp (119337 => 119338)
--- releases/WebKitGTK/webkit-1.8/Source/WebCore/html/parser/HTMLElementStack.cpp 2012-06-02 20:31:42 UTC (rev 119337)
+++ releases/WebKitGTK/webkit-1.8/Source/WebCore/html/parser/HTMLElementStack.cpp 2012-06-02 20:32:02 UTC (rev 119338)
@@ -386,10 +386,12 @@
Element* HTMLElementStack::oneBelowTop() const
{
- // We should never be calling this if it could be 0.
+ // We should never call this if there are fewer than 2 elements on the stack.
ASSERT(m_top);
ASSERT(m_top->next());
- return m_top->next()->element();
+ if (m_top->next()->node()->isElementNode())
+ return m_top->next()->element();
+ return 0;
}
Element* HTMLElementStack::bottom() const
Modified: releases/WebKitGTK/webkit-1.8/Source/WebCore/html/parser/HTMLTreeBuilder.cpp (119337 => 119338)
--- releases/WebKitGTK/webkit-1.8/Source/WebCore/html/parser/HTMLTreeBuilder.cpp 2012-06-02 20:31:42 UTC (rev 119337)
+++ releases/WebKitGTK/webkit-1.8/Source/WebCore/html/parser/HTMLTreeBuilder.cpp 2012-06-02 20:32:02 UTC (rev 119338)
@@ -2204,7 +2204,7 @@
case InSelectMode:
ASSERT(insertionMode() == InSelectMode || insertionMode() == InSelectInTableMode);
if (token.name() == optgroupTag) {
- if (m_tree.currentNode()->hasTagName(optionTag) && m_tree.oneBelowTop()->hasTagName(optgroupTag))
+ if (m_tree.currentNode()->hasTagName(optionTag) && m_tree.oneBelowTop() && m_tree.oneBelowTop()->hasTagName(optgroupTag))
processFakeEndTag(optionTag);
if (m_tree.currentNode()->hasTagName(optgroupTag)) {
m_tree.openElements()->pop();
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes
