Title: [151986] trunk/Source/WebCore
- Revision
- 151986
- Author
- [email protected]
- Date
- 2013-06-26 03:49:02 -0700 (Wed, 26 Jun 2013)
Log Message
Use-after-free in RadioInputType::handleKeydownEvent
https://bugs.webkit.org/show_bug.cgi?id=118035
Reviewed by Kent Tamura.
Use RefPtr for inputElement since setFocusedNode could blow it away.
* html/RadioInputType.cpp:
(WebCore::RadioInputType::handleKeydownEvent):
Modified Paths
Diff
Modified: trunk/Source/WebCore/ChangeLog (151985 => 151986)
--- trunk/Source/WebCore/ChangeLog 2013-06-26 10:39:50 UTC (rev 151985)
+++ trunk/Source/WebCore/ChangeLog 2013-06-26 10:49:02 UTC (rev 151986)
@@ -1,3 +1,15 @@
+2013-06-26 Ryosuke Niwa <[email protected]>
+
+ Use-after-free in RadioInputType::handleKeydownEvent
+ https://bugs.webkit.org/show_bug.cgi?id=118035
+
+ Reviewed by Kent Tamura.
+
+ Use RefPtr for inputElement since setFocusedNode could blow it away.
+
+ * html/RadioInputType.cpp:
+ (WebCore::RadioInputType::handleKeydownEvent):
+
2013-06-26 Christophe Dumez <[email protected]>
Get rid of multiple inheritence for SVGViewElement interface
Modified: trunk/Source/WebCore/html/RadioInputType.cpp (151985 => 151986)
--- trunk/Source/WebCore/html/RadioInputType.cpp 2013-06-26 10:39:50 UTC (rev 151985)
+++ trunk/Source/WebCore/html/RadioInputType.cpp 2013-06-26 10:49:02 UTC (rev 151986)
@@ -93,7 +93,7 @@
// Look for more radio buttons.
if (!node->hasTagName(inputTag))
continue;
- HTMLInputElement* inputElement = static_cast<HTMLInputElement*>(node);
+ RefPtr<HTMLInputElement> inputElement = static_cast<HTMLInputElement*>(node);
if (inputElement->form() != element()->form())
break;
if (inputElement->isRadioButton() && inputElement->name() == element()->name() && inputElement->isFocusable()) {
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
