Title: [153102] trunk/Source/WebCore
- Revision
- 153102
- Author
- [email protected]
- Date
- 2013-07-24 14:24:49 -0700 (Wed, 24 Jul 2013)
Log Message
Use-after-free in ApplyStyleCommand::removeInlineStyle
https://bugs.webkit.org/show_bug.cgi?id=118627
Reviewed by Oliver Hunt.
Merge https://chromium.googlesource.com/chromium/blink/+/b6471d077e012b05ccba14d0ce8e6d616106c8e6
Unfortunately, there is no test case for this bug.
* editing/ApplyStyleCommand.cpp:
(WebCore::ApplyStyleCommand::removeInlineStyle):
Modified Paths
Diff
Modified: trunk/Source/WebCore/ChangeLog (153101 => 153102)
--- trunk/Source/WebCore/ChangeLog 2013-07-24 21:21:09 UTC (rev 153101)
+++ trunk/Source/WebCore/ChangeLog 2013-07-24 21:24:49 UTC (rev 153102)
@@ -1,3 +1,17 @@
+2013-07-24 Ryosuke Niwa <[email protected]>
+
+ Use-after-free in ApplyStyleCommand::removeInlineStyle
+ https://bugs.webkit.org/show_bug.cgi?id=118627
+
+ Reviewed by Oliver Hunt.
+
+ Merge https://chromium.googlesource.com/chromium/blink/+/b6471d077e012b05ccba14d0ce8e6d616106c8e6
+
+ Unfortunately, there is no test case for this bug.
+
+ * editing/ApplyStyleCommand.cpp:
+ (WebCore::ApplyStyleCommand::removeInlineStyle):
+
2013-07-24 Zan Dobersek <[email protected]>
Remove CheckedInt, use Checked<T, RecordOverflow> instead
Modified: trunk/Source/WebCore/editing/ApplyStyleCommand.cpp (153101 => 153102)
--- trunk/Source/WebCore/editing/ApplyStyleCommand.cpp 2013-07-24 21:21:09 UTC (rev 153101)
+++ trunk/Source/WebCore/editing/ApplyStyleCommand.cpp 2013-07-24 21:24:49 UTC (rev 153102)
@@ -1109,16 +1109,17 @@
Position s = start.isNull() || start.isOrphan() ? pushDownStart : start;
Position e = end.isNull() || end.isOrphan() ? pushDownEnd : end;
- Node* node = start.deprecatedNode();
+ RefPtr<Node> node = start.deprecatedNode();
while (node) {
RefPtr<Node> next;
- if (editingIgnoresContent(node)) {
+ if (editingIgnoresContent(node.get())) {
ASSERT(node == end.deprecatedNode() || !node->contains(end.deprecatedNode()));
- next = NodeTraversal::nextSkippingChildren(node);
+ next = NodeTraversal::nextSkippingChildren(node.get());
} else
- next = NodeTraversal::next(node);
- if (node->isHTMLElement() && nodeFullySelected(node, start, end)) {
- RefPtr<HTMLElement> elem = toHTMLElement(node);
+ next = NodeTraversal::next(node.get());
+
+ if (node->isHTMLElement() && nodeFullySelected(node.get(), start, end)) {
+ RefPtr<HTMLElement> elem = toHTMLElement(node.get());
RefPtr<Node> prev = NodeTraversal::previousPostOrder(elem.get());
RefPtr<Node> next = NodeTraversal::next(elem.get());
RefPtr<EditingStyle> styleToPushDown;
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
