third_party/WebKit/Source/core/html/parser/HTMLTreeBuilder.cpp - Issue 1372343002: Crash fix: Avoid using stale HTMLToken after tree construction

Unified Diff: third_party/WebKit/Source/core/html/parser/HTMLTreeBuilder.cpp

Issue 1372343002: Crash fix: Avoid using stale HTMLToken after tree construction (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master

Patch Set: Created 5 years, 3 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: third_party/WebKit/Source/core/html/parser/HTMLTreeBuilder.cpp

diff --git a/third_party/WebKit/Source/core/html/parser/HTMLTreeBuilder.cpp b/third_party/WebKit/Source/core/html/parser/HTMLTreeBuilder.cpp

index 21d666b6fa5734b46e93ecb413b57930edb5c324..b25ea3950776dd9677cabfe333193b91ff0efcd7 100644

--- a/third_party/WebKit/Source/core/html/parser/HTMLTreeBuilder.cpp

+++ b/third_party/WebKit/Source/core/html/parser/HTMLTreeBuilder.cpp

@@ -792,10 +792,11 @@ void HTMLTreeBuilder::processStartTagForInBody(AtomicHTMLToken* token)

}

if (token->name() == inputTag) {

Attribute* typeAttribute = token->getAttributeItem(typeAttr);

+ bool disableFrameset = !typeAttribute || !equalIgnoringCase(typeAttribute->value(), "hidden");

m_tree.reconstructTheActiveFormattingElements();

m_tree.insertSelfClosingHTMLElement(token);

- if (!typeAttribute || !equalIgnoringCase(typeAttribute->value(), "hidden"))

- m_framesetOk = false;

+ m_framesetOk = disableFrameset;

Yoav Weiss 2015/09/29 07:12:42 Can you detail what you suspect is happening in th

kouhei (in TOK) 2015/09/29 07:32:18 Thanks for the catch. This wasn't intentional. Let

return;

}

if ((RuntimeEnabledFeatures::contextMenuEnabled() && token->name() == menuitemTag)

« no previous file with comments | « no previous file | no next file » | no next file with comments »