Title: [153389] branches/safari-537-branch/Source/WebCore
- Revision
- 153389
- Author
- [email protected]
- Date
- 2013-07-26 16:43:21 -0700 (Fri, 26 Jul 2013)
Log Message
Merged r153102. <rdar://problem/14433205>
Modified Paths
Diff
Modified: branches/safari-537-branch/Source/WebCore/ChangeLog (153388 => 153389)
--- branches/safari-537-branch/Source/WebCore/ChangeLog 2013-07-26 23:41:06 UTC (rev 153388)
+++ branches/safari-537-branch/Source/WebCore/ChangeLog 2013-07-26 23:43:21 UTC (rev 153389)
@@ -1,5 +1,23 @@
2013-07-26 Lucas Forschler <[email protected]>
+ Merge r153102
+
+ 2013-07-24 Ryosuke Niwa <[email protected]>
+
+ Use-after-free in ApplyStyleCommand::removeInlineStyle
+ https://bugs.webkit.org/show_bug.cgi?id=118627
+
+ Reviewed by Oliver Hunt.
+
+ Merge https://chromium.googlesource.com/chromium/blink/+/b6471d077e012b05ccba14d0ce8e6d616106c8e6
+
+ Unfortunately, there is no test case for this bug.
+
+ * editing/ApplyStyleCommand.cpp:
+ (WebCore::ApplyStyleCommand::removeInlineStyle):
+
+2013-07-26 Lucas Forschler <[email protected]>
+
Merge r152905
2013-07-19 Geoffrey Garen <[email protected]>
Modified: branches/safari-537-branch/Source/WebCore/editing/ApplyStyleCommand.cpp (153388 => 153389)
--- branches/safari-537-branch/Source/WebCore/editing/ApplyStyleCommand.cpp 2013-07-26 23:41:06 UTC (rev 153388)
+++ branches/safari-537-branch/Source/WebCore/editing/ApplyStyleCommand.cpp 2013-07-26 23:43:21 UTC (rev 153389)
@@ -1109,16 +1109,17 @@
Position s = start.isNull() || start.isOrphan() ? pushDownStart : start;
Position e = end.isNull() || end.isOrphan() ? pushDownEnd : end;
- Node* node = start.deprecatedNode();
+ RefPtr<Node> node = start.deprecatedNode();
while (node) {
RefPtr<Node> next;
- if (editingIgnoresContent(node)) {
+ if (editingIgnoresContent(node.get())) {
ASSERT(node == end.deprecatedNode() || !node->contains(end.deprecatedNode()));
- next = NodeTraversal::nextSkippingChildren(node);
+ next = NodeTraversal::nextSkippingChildren(node.get());
} else
- next = NodeTraversal::next(node);
- if (node->isHTMLElement() && nodeFullySelected(node, start, end)) {
- RefPtr<HTMLElement> elem = toHTMLElement(node);
+ next = NodeTraversal::next(node.get());
+
+ if (node->isHTMLElement() && nodeFullySelected(node.get(), start, end)) {
+ RefPtr<HTMLElement> elem = toHTMLElement(node.get());
RefPtr<Node> prev = NodeTraversal::previousPostOrder(elem.get());
RefPtr<Node> next = NodeTraversal::next(elem.get());
RefPtr<EditingStyle> styleToPushDown;
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
