[webkit-changes] [148497] trunk/Source/WebCore

Tue, 16 Apr 2013 00:34:45 -0700

Title: [148497] trunk/Source/WebCore
Revision
148497
Author
[email protected]
Date
2013-04-16 00:36:29 -0700 (Tue, 16 Apr 2013)

Log Message

Potential use after free in ApplyStyleCommand::splitAncestorsWithUnicodeBidi
https://bugs.webkit.org/show_bug.cgi?id=114664

Reviewed by Oliver Hunt.

Use RefPtr as needed.

No new tests since this bug was discovered by code inspection.

* editing/ApplyStyleCommand.cpp:
(WebCore::ApplyStyleCommand::splitAncestorsWithUnicodeBidi):

Modified Paths

Diff

Modified: trunk/Source/WebCore/ChangeLog (148496 => 148497)


--- trunk/Source/WebCore/ChangeLog	2013-04-16 07:04:55 UTC (rev 148496)
+++ trunk/Source/WebCore/ChangeLog	2013-04-16 07:36:29 UTC (rev 148497)
@@ -1,3 +1,17 @@
+2013-04-15  Ryosuke Niwa  <[email protected]>
+
+        Potential use after free in ApplyStyleCommand::splitAncestorsWithUnicodeBidi
+        https://bugs.webkit.org/show_bug.cgi?id=114664
+
+        Reviewed by Oliver Hunt.
+
+        Use RefPtr as needed.
+
+        No new tests since this bug was discovered by code inspection.
+
+        * editing/ApplyStyleCommand.cpp:
+        (WebCore::ApplyStyleCommand::splitAncestorsWithUnicodeBidi):
+
 2013-04-15  Timothy Hatcher  <[email protected]>
 
         Web Inspector: Make var and function declarations work again in the Console.

Modified: trunk/Source/WebCore/editing/ApplyStyleCommand.cpp (148496 => 148497)


--- trunk/Source/WebCore/editing/ApplyStyleCommand.cpp	2013-04-16 07:04:55 UTC (rev 148496)
+++ trunk/Source/WebCore/editing/ApplyStyleCommand.cpp	2013-04-16 07:36:29 UTC (rev 148497)
@@ -483,14 +483,14 @@
     }
 
     // Split every ancestor through highest ancestor with embedding.
-    Node* n = node;
-    while (true) {
-        Element* parent = toElement(n->parentNode());
-        if (before ? n->previousSibling() : n->nextSibling())
-            splitElement(parent, before ? n : n->nextSibling());
+    RefPtr<Node> currentNode = node;
+    while (currentNode) {
+        RefPtr<Element> parent = toElement(currentNode->parentNode());
+        if (before ? currentNode->previousSibling() : currentNode->nextSibling())
+            splitElement(parent, before ? currentNode : currentNode->nextSibling());
         if (parent == highestAncestorWithUnicodeBidi)
             break;
-        n = n->parentNode();
+        currentNode = parent;
     }
     return unsplitAncestor;
 }

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to