Title: [148908] trunk/Source/WebCore
- Revision
- 148908
- Author
- [email protected]
- Date
- 2013-04-22 13:39:24 -0700 (Mon, 22 Apr 2013)
Log Message
Use-after-free in CompositeEditCommand::cloneParagraphUnderNewElement
https://bugs.webkit.org/show_bug.cgi?id=114911
Reviewed by Oliver Hunt.
Back ported https://src.chromium.org/viewvc/blink?revision=148680&view=revision.
* editing/CompositeEditCommand.cpp:
(WebCore::CompositeEditCommand::cloneParagraphUnderNewElement):
Modified Paths
Diff
Modified: trunk/Source/WebCore/ChangeLog (148907 => 148908)
--- trunk/Source/WebCore/ChangeLog 2013-04-22 20:29:58 UTC (rev 148907)
+++ trunk/Source/WebCore/ChangeLog 2013-04-22 20:39:24 UTC (rev 148908)
@@ -1,3 +1,15 @@
+2013-04-22 Ryosuke Niwa <[email protected]>
+
+ Use-after-free in CompositeEditCommand::cloneParagraphUnderNewElement
+ https://bugs.webkit.org/show_bug.cgi?id=114911
+
+ Reviewed by Oliver Hunt.
+
+ Back ported https://src.chromium.org/viewvc/blink?revision=148680&view=revision.
+
+ * editing/CompositeEditCommand.cpp:
+ (WebCore::CompositeEditCommand::cloneParagraphUnderNewElement):
+
2013-04-22 Eric Carlson <[email protected]>
[Mac] "automatic" track selection should only select a track that matches user language
Modified: trunk/Source/WebCore/editing/CompositeEditCommand.cpp (148907 => 148908)
--- trunk/Source/WebCore/editing/CompositeEditCommand.cpp 2013-04-22 20:29:58 UTC (rev 148907)
+++ trunk/Source/WebCore/editing/CompositeEditCommand.cpp 2013-04-22 20:39:24 UTC (rev 148908)
@@ -1037,8 +1037,8 @@
outerNode = outerNode->parentNode();
}
- Node* startNode = start.deprecatedNode();
- for (Node* node = NodeTraversal::nextSkippingChildren(startNode, outerNode.get()); node; node = NodeTraversal::nextSkippingChildren(node, outerNode.get())) {
+ RefPtr<Node> startNode = start.deprecatedNode();
+ for (RefPtr<Node> node = NodeTraversal::nextSkippingChildren(startNode.get(), outerNode.get()); node; node = NodeTraversal::nextSkippingChildren(node.get(), outerNode.get())) {
// Move lastNode up in the tree as much as node was moved up in the
// tree by NodeTraversal::nextSkippingChildren, so that the relative depth between
// node and the original start node is maintained in the clone.
@@ -1050,7 +1050,7 @@
RefPtr<Node> clonedNode = node->cloneNode(true);
insertNodeAfter(clonedNode, lastNode);
lastNode = clonedNode.release();
- if (node == end.deprecatedNode() || end.deprecatedNode()->isDescendantOf(node))
+ if (node == end.deprecatedNode() || end.deprecatedNode()->isDescendantOf(node.get()))
break;
}
}
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
