Skip to site navigation (Press enter)

[webkit-changes] [127644] trunk/Source/WebKit/blackberry

commit-queue Wed, 05 Sep 2012 13:58:05 -0700

Title: [127644] trunk/Source/WebKit/blackberry

Revision: 127644
Author: [email protected]
Date: 2012-09-05 13:58:54 -0700 (Wed, 05 Sep 2012)

Log Message

[BlackBerry] _javascript_Variant can crash when operator= is called with itself
https://bugs.webkit.org/show_bug.cgi?id=95859


Patch by Benjamin C Meyer <[email protected]> on 2012-09-05
Reviewed by George Staikos.

* Api/_javascript_Variant.cpp:
(BlackBerry::WebKit::_javascript_Variant::operator=):
When _javascript_Variant contains a string and operator= is
called with itself the memory will be free'd in 'this' and
then a copy will be attempted from 'that' resulting in a crash.

Modified Paths

trunk/Source/WebKit/blackberry/Api/_javascript_Variant.cpp
trunk/Source/WebKit/blackberry/ChangeLog

Diff

Modified: trunk/Source/WebKit/blackberry/Api/_javascript_Variant.cpp (127643 => 127644)


--- trunk/Source/WebKit/blackberry/Api/_javascript_Variant.cpp	2012-09-05 20:50:22 UTC (rev 127643)
+++ trunk/Source/WebKit/blackberry/Api/_javascript_Variant.cpp	2012-09-05 20:58:54 UTC (rev 127644)
@@ -147,6 +147,9 @@
 
 _javascript_Variant& _javascript_Variant::operator=(const _javascript_Variant& v)
 {
+    if (&v == this)
+        return *this;
+
     switch (v.type()) {
     case Boolean:
         setBoolean(v.booleanValue());

Modified: trunk/Source/WebKit/blackberry/ChangeLog (127643 => 127644)


--- trunk/Source/WebKit/blackberry/ChangeLog	2012-09-05 20:50:22 UTC (rev 127643)
+++ trunk/Source/WebKit/blackberry/ChangeLog	2012-09-05 20:58:54 UTC (rev 127644)
@@ -1,3 +1,16 @@
+2012-09-05  Benjamin C Meyer  <[email protected]>
+
+        [BlackBerry] _javascript_Variant can crash when operator= is called with itself
+        https://bugs.webkit.org/show_bug.cgi?id=95859
+
+        Reviewed by George Staikos.
+
+        * Api/_javascript_Variant.cpp:
+        (BlackBerry::WebKit::_javascript_Variant::operator=):
+        When _javascript_Variant contains a string and operator= is
+        called with itself the memory will be free'd in 'this' and
+        then a copy will be attempted from 'that' resulting in a crash.
+
 2012-09-05  Leo Yang  <[email protected]>
 
         [BlackBerry] Rotation and then reload causes less sized webpage (PR 190469)

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo/webkit-changes