Title: [158724] trunk
- Revision
- 158724
- Author
- [email protected]
- Date
- 2013-11-05 23:11:31 -0800 (Tue, 05 Nov 2013)
Log Message
Use-after-free in SliderThumbElement::dragFrom
https://bugs.webkit.org/show_bug.cgi?id=123873
Reviewed by Andreas Kling.
Source/WebCore:
Ref the SliderThumbElement since it could go away inside dragFrom.
Test: fast/forms/range/range-type-change-onchange-2.html
* html/RangeInputType.cpp:
(WebCore::RangeInputType::handleMouseDownEvent):
LayoutTests:
Merge https://chromium.googlesource.com/chromium/blink/+/04a23bfca2d04101a1828d36ff36c29f3a24f34b
* fast/forms/range/range-type-change-onchange-2-expected.txt: Added.
* fast/forms/range/range-type-change-onchange-2.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (158723 => 158724)
--- trunk/LayoutTests/ChangeLog 2013-11-06 06:14:47 UTC (rev 158723)
+++ trunk/LayoutTests/ChangeLog 2013-11-06 07:11:31 UTC (rev 158724)
@@ -1,5 +1,17 @@
2013-11-05 Ryosuke Niwa <[email protected]>
+ Use-after-free in SliderThumbElement::dragFrom
+ https://bugs.webkit.org/show_bug.cgi?id=123873
+
+ Reviewed by Andreas Kling.
+
+ Merge https://chromium.googlesource.com/chromium/blink/+/04a23bfca2d04101a1828d36ff36c29f3a24f34b
+
+ * fast/forms/range/range-type-change-onchange-2-expected.txt: Added.
+ * fast/forms/range/range-type-change-onchange-2.html: Added.
+
+2013-11-05 Ryosuke Niwa <[email protected]>
+
valueForBorderRadiusShorthand returns wrong values in some case
https://bugs.webkit.org/show_bug.cgi?id=123866
Added: trunk/LayoutTests/fast/forms/range/range-type-change-onchange-2-expected.txt (0 => 158724)
--- trunk/LayoutTests/fast/forms/range/range-type-change-onchange-2-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/forms/range/range-type-change-onchange-2-expected.txt 2013-11-06 07:11:31 UTC (rev 158724)
@@ -0,0 +1,10 @@
+Test if drag on a padding area of input[type=range] do not trigger an assertion failure.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS if not crashed.
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Added: trunk/LayoutTests/fast/forms/range/range-type-change-onchange-2.html (0 => 158724)
--- trunk/LayoutTests/fast/forms/range/range-type-change-onchange-2.html (rev 0)
+++ trunk/LayoutTests/fast/forms/range/range-type-change-onchange-2.html 2013-11-06 07:11:31 UTC (rev 158724)
@@ -0,0 +1,32 @@
+<body>
+<style>
+input {
+ padding-right: 32px;
+ padding-top: 32px;
+}
+</style>
+<input _onchange_="this.type = 'text';" type="range" id="input">
+<script src=""
+<script>
+jsTestIsAsync = true;
+
+function keyDownMouseClick(x1, y1, x2, y2) {
+ if (!window.eventSender)
+ return;
+ eventSender.mouseMoveTo(x1, y1);
+ eventSender.mouseDown();
+ eventSender.mouseMoveTo(x2, y2);
+ eventSender.mouseUp();
+}
+
+window._onload_ = function() {
+ var input = document.getElementById("input");
+ input.focus();
+ keyDownMouseClick(input.offsetLeft + input.offsetWidth - 32, input.offsetTop, 0, 0);
+ description('Test if drag on a padding area of input[type=range] do not trigger an assertion failure.');
+ testPassed('if not crashed.');
+ finishJSTest();
+};
+</script>
+<script src=""
+</body>
Modified: trunk/Source/WebCore/ChangeLog (158723 => 158724)
--- trunk/Source/WebCore/ChangeLog 2013-11-06 06:14:47 UTC (rev 158723)
+++ trunk/Source/WebCore/ChangeLog 2013-11-06 07:11:31 UTC (rev 158724)
@@ -1,5 +1,19 @@
2013-11-05 Ryosuke Niwa <[email protected]>
+ Use-after-free in SliderThumbElement::dragFrom
+ https://bugs.webkit.org/show_bug.cgi?id=123873
+
+ Reviewed by Andreas Kling.
+
+ Ref the SliderThumbElement since it could go away inside dragFrom.
+
+ Test: fast/forms/range/range-type-change-onchange-2.html
+
+ * html/RangeInputType.cpp:
+ (WebCore::RangeInputType::handleMouseDownEvent):
+
+2013-11-05 Ryosuke Niwa <[email protected]>
+
Change the order of conditions to avoid computing rendererIsEditable()
https://bugs.webkit.org/show_bug.cgi?id=123868
Modified: trunk/Source/WebCore/html/RangeInputType.cpp (158723 => 158724)
--- trunk/Source/WebCore/html/RangeInputType.cpp 2013-11-06 06:14:47 UTC (rev 158723)
+++ trunk/Source/WebCore/html/RangeInputType.cpp 2013-11-06 07:11:31 UTC (rev 158724)
@@ -149,10 +149,10 @@
ASSERT(element().shadowRoot());
if (targetNode != &element() && !targetNode->isDescendantOf(element().userAgentShadowRoot()))
return;
- SliderThumbElement& thumb = typedSliderThumbElement();
- if (targetNode == &thumb)
+ RefPtr<SliderThumbElement> thumb = &typedSliderThumbElement();
+ if (targetNode == thumb)
return;
- thumb.dragFrom(event->absoluteLocation());
+ thumb->dragFrom(event->absoluteLocation());
}
#if ENABLE(TOUCH_EVENTS)
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
