Title: [126755] trunk/Source/WebCore
- Revision
- 126755
- Author
- [email protected]
- Date
- 2012-08-27 06:59:00 -0700 (Mon, 27 Aug 2012)
Log Message
REGRESSION(r126524): Heap-buffer-overflow in WebCore::StylePropertySet::copyPropertiesFrom
<http://webkit.org/b/95005>
Reviewed by Antti Koivisto.
Remove incorrect assertion that the StylePropertySet is empty before properties are copied
into it, as this is no guarantee in editing code.
This regressed when splitting the code into mutable/immutable paths. Covered by assertions
on existing tests.
* css/StylePropertySet.cpp:
(WebCore::StylePropertySet::copyPropertiesFrom):
Modified Paths
Diff
Modified: trunk/Source/WebCore/ChangeLog (126754 => 126755)
--- trunk/Source/WebCore/ChangeLog 2012-08-27 13:52:59 UTC (rev 126754)
+++ trunk/Source/WebCore/ChangeLog 2012-08-27 13:59:00 UTC (rev 126755)
@@ -1,3 +1,18 @@
+2012-08-27 Andreas Kling <[email protected]>
+
+ REGRESSION(r126524): Heap-buffer-overflow in WebCore::StylePropertySet::copyPropertiesFrom
+ <http://webkit.org/b/95005>
+
+ Reviewed by Antti Koivisto.
+
+ Remove incorrect assertion that the StylePropertySet is empty before properties are copied
+ into it, as this is no guarantee in editing code.
+ This regressed when splitting the code into mutable/immutable paths. Covered by assertions
+ on existing tests.
+
+ * css/StylePropertySet.cpp:
+ (WebCore::StylePropertySet::copyPropertiesFrom):
+
2012-08-25 Andrey Kosyakov <[email protected]>
Web Inspector: display cause for style recalculation and layout on Timeline
Modified: trunk/Source/WebCore/css/StylePropertySet.cpp (126754 => 126755)
--- trunk/Source/WebCore/css/StylePropertySet.cpp 2012-08-27 13:52:59 UTC (rev 126754)
+++ trunk/Source/WebCore/css/StylePropertySet.cpp 2012-08-27 13:59:00 UTC (rev 126755)
@@ -126,8 +126,8 @@
return;
}
- ASSERT(m_mutablePropertyVector->isEmpty());
- m_mutablePropertyVector->reserveInitialCapacity(other.m_arraySize);
+ m_mutablePropertyVector->clear();
+ m_mutablePropertyVector->reserveCapacity(other.m_arraySize);
for (unsigned i = 0; i < other.m_arraySize; ++i)
m_mutablePropertyVector->uncheckedAppend(other.array()[i]);
}
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo/webkit-changes
