Title: [142358] trunk
- Revision
- 142358
- Author
- [email protected]
- Date
- 2013-02-09 07:25:19 -0800 (Sat, 09 Feb 2013)
Log Message
Fix crash by img[ismap] with content property
https://bugs.webkit.org/show_bug.cgi?id=108702
Reviewed by Adam Barth.
Source/WebCore:
Test: fast/dom/HTMLAnchorElement/anchor-ismap-crash.html
* html/HTMLAnchorElement.cpp:
(WebCore::appendServerMapMousePosition):
Check if the renderer of an img element is RenderImage.
LayoutTests:
* fast/dom/HTMLAnchorElement/anchor-ismap-crash-expected.txt: Added.
* fast/dom/HTMLAnchorElement/anchor-ismap-crash.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (142357 => 142358)
--- trunk/LayoutTests/ChangeLog 2013-02-09 15:16:54 UTC (rev 142357)
+++ trunk/LayoutTests/ChangeLog 2013-02-09 15:25:19 UTC (rev 142358)
@@ -1,5 +1,15 @@
2013-02-09 Kent Tamura <[email protected]>
+ Fix crash by img[ismap] with content property
+ https://bugs.webkit.org/show_bug.cgi?id=108702
+
+ Reviewed by Adam Barth.
+
+ * fast/dom/HTMLAnchorElement/anchor-ismap-crash-expected.txt: Added.
+ * fast/dom/HTMLAnchorElement/anchor-ismap-crash.html: Added.
+
+2013-02-09 Kent Tamura <[email protected]>
+
[Chromium] Test expectation update.
* platform/chromium/TestExpectations:
Added: trunk/LayoutTests/fast/dom/HTMLAnchorElement/anchor-ismap-crash-expected.txt (0 => 142358)
--- trunk/LayoutTests/fast/dom/HTMLAnchorElement/anchor-ismap-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/dom/HTMLAnchorElement/anchor-ismap-crash-expected.txt 2013-02-09 15:25:19 UTC (rev 142358)
@@ -0,0 +1,6 @@
+PASS if not crashed.
+PASS successfullyParsed is true
+
+TEST COMPLETE
+foo
+
Added: trunk/LayoutTests/fast/dom/HTMLAnchorElement/anchor-ismap-crash.html (0 => 142358)
--- trunk/LayoutTests/fast/dom/HTMLAnchorElement/anchor-ismap-crash.html (rev 0)
+++ trunk/LayoutTests/fast/dom/HTMLAnchorElement/anchor-ismap-crash.html 2013-02-09 15:25:19 UTC (rev 142358)
@@ -0,0 +1,10 @@
+<!DOCTYPE html>
+<body>
+<script src=""
+<a href="" ismap style="content:'bar'; display:block;"></a>
+<script>
+document.getElementsByTagName('img')[0].click();
+testPassed('if not crashed.');
+</script>
+<script src=""
+</body>
Property changes on: trunk/LayoutTests/fast/dom/HTMLAnchorElement/anchor-ismap-crash.html
___________________________________________________________________
Added: svn:mime-type
Modified: trunk/Source/WebCore/ChangeLog (142357 => 142358)
--- trunk/Source/WebCore/ChangeLog 2013-02-09 15:16:54 UTC (rev 142357)
+++ trunk/Source/WebCore/ChangeLog 2013-02-09 15:25:19 UTC (rev 142358)
@@ -1,3 +1,16 @@
+2013-02-09 Kent Tamura <[email protected]>
+
+ Fix crash by img[ismap] with content property
+ https://bugs.webkit.org/show_bug.cgi?id=108702
+
+ Reviewed by Adam Barth.
+
+ Test: fast/dom/HTMLAnchorElement/anchor-ismap-crash.html
+
+ * html/HTMLAnchorElement.cpp:
+ (WebCore::appendServerMapMousePosition):
+ Check if the renderer of an img element is RenderImage.
+
2013-02-09 Mike West <[email protected]>
Drop ExceptionCode from IDB's directionToString and modeToString.
Modified: trunk/Source/WebCore/html/HTMLAnchorElement.cpp (142357 => 142358)
--- trunk/Source/WebCore/html/HTMLAnchorElement.cpp 2013-02-09 15:16:54 UTC (rev 142357)
+++ trunk/Source/WebCore/html/HTMLAnchorElement.cpp 2013-02-09 15:25:19 UTC (rev 142358)
@@ -135,9 +135,9 @@
if (!imageElement || !imageElement->isServerMap())
return;
+ if (!imageElement->renderer() || !imageElement->renderer()->isRenderImage())
+ return;
RenderImage* renderer = toRenderImage(imageElement->renderer());
- if (!renderer)
- return;
// FIXME: This should probably pass true for useTransforms.
FloatPoint absolutePosition = renderer->absoluteToLocal(FloatPoint(static_cast<MouseEvent*>(event)->pageX(), static_cast<MouseEvent*>(event)->pageY()));
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
