Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(76)

Issue 3305027: Merge 66862 - 2010-09-06 Adam Barth <abarth@webkit.org>... (Closed)

Created:
10 years, 3 months ago by inferno
Modified:
9 years, 7 months ago
Reviewers:
inferno
CC:
chromium-reviews
Base URL:
http://svn.webkit.org/repository/webkit/branches/chromium/517/
Visibility:
Public.

Description

Merge 66862 - 2010-09-06 Adam Barth <abarth@webkit.org>; Reviewed by Sam Weinig. OOB read with svg polyline https://bugs.webkit.org/show_bug.cgi?id=45279 In principle, attributeChanged can do anything. If we supported more DOM mutation events, it could even run JavaScript. That means we need to be prepared for the attribute map to change when running attributeChanged. This patch makes this loop resilient to the attribute map changing by storing the list of changed attributes on the stack. Test: fast/parser/changing-attrbutes-crash.html * dom/Element.cpp: (WebCore::Element::setAttributeMap): 2010-09-06 Adam Barth <abarth@webkit.org>; Reviewed by Sam Weinig. OOB read with svg polyline https://bugs.webkit.org/show_bug.cgi?id=45279 Test what happens when SVG changes the attribute map out from under us. * fast/parser/changing-attrbutes-crash-expected.txt: Added. * fast/parser/changing-attrbutes-crash.html: Added. BUG=54532 Committed: http://src.chromium.org/viewvc/chrome?view=rev&revision=67110

Patch Set 1 #

Unified diffs Side-by-side diffs Delta from patch set Stats (+4 lines, -1 line) Patch
A + LayoutTests/fast/parser/changing-attrbutes-crash.html View 0 chunks +-1 lines, --1 lines 0 comments Download
A + LayoutTests/fast/parser/changing-attrbutes-crash-expected.txt View 0 chunks +-1 lines, --1 lines 0 comments Download
M WebCore/dom/Element.cpp View 1 chunk +6 lines, -3 lines 0 comments Download

Messages

Total messages: 1 (0 generated)
inferno
10 years, 3 months ago (2010-09-09 20:33:52 UTC) #1

          

Powered by Google App Engine
This is Rietveld 408576698