Title: [142642] trunk/Source/WebCore
- Revision
- 142642
- Author
- [email protected]
- Date
- 2013-02-12 10:49:38 -0800 (Tue, 12 Feb 2013)
Log Message
Heap-use-after-free in WebCore::DeleteButtonController::enable
https://bugs.webkit.org/show_bug.cgi?id=109447
Reviewed by Ryosuke Niwa.
RefPtr frame pointer since it can get deleted due to mutation events
fired inside AppendNodeCommand::doUnapply.
No new tests. Testcase is hard to minimize due to recursive
calls with DOMNodeRemovedFromDocument mutation event.
* editing/CompositeEditCommand.cpp:
(WebCore::EditCommandComposition::unapply):
(WebCore::EditCommandComposition::reapply):
Modified Paths
Diff
Modified: trunk/Source/WebCore/ChangeLog (142641 => 142642)
--- trunk/Source/WebCore/ChangeLog 2013-02-12 18:43:15 UTC (rev 142641)
+++ trunk/Source/WebCore/ChangeLog 2013-02-12 18:49:38 UTC (rev 142642)
@@ -1,3 +1,20 @@
+2013-02-12 Abhishek Arya <[email protected]>
+
+ Heap-use-after-free in WebCore::DeleteButtonController::enable
+ https://bugs.webkit.org/show_bug.cgi?id=109447
+
+ Reviewed by Ryosuke Niwa.
+
+ RefPtr frame pointer since it can get deleted due to mutation events
+ fired inside AppendNodeCommand::doUnapply.
+
+ No new tests. Testcase is hard to minimize due to recursive
+ calls with DOMNodeRemovedFromDocument mutation event.
+
+ * editing/CompositeEditCommand.cpp:
+ (WebCore::EditCommandComposition::unapply):
+ (WebCore::EditCommandComposition::reapply):
+
2013-02-12 Eric Seidel <[email protected]>
Remove HTMLTokenTypes header (and split out AtomicHTMLToken.h from HTMLToken.h)
Modified: trunk/Source/WebCore/editing/CompositeEditCommand.cpp (142641 => 142642)
--- trunk/Source/WebCore/editing/CompositeEditCommand.cpp 2013-02-12 18:43:15 UTC (rev 142641)
+++ trunk/Source/WebCore/editing/CompositeEditCommand.cpp 2013-02-12 18:49:38 UTC (rev 142642)
@@ -95,7 +95,7 @@
void EditCommandComposition::unapply()
{
ASSERT(m_document);
- Frame* frame = m_document->frame();
+ RefPtr<Frame> frame = m_document->frame();
ASSERT(frame);
// Changes to the document may have been made since the last editing operation that require a layout, as in <rdar://problem/5658603>.
@@ -119,7 +119,7 @@
void EditCommandComposition::reapply()
{
ASSERT(m_document);
- Frame* frame = m_document->frame();
+ RefPtr<Frame> frame = m_document->frame();
ASSERT(frame);
// Changes to the document may have been made since the last editing operation that require a layout, as in <rdar://problem/5658603>.
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
