Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(1608)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: Source/WebCore/svg/SVGTRefElement.cpp

Issue 8015009: Merge 95791 - use after free in WebCore::SVGTRefElement::updateReferencedText (Closed) Base URL: http://svn.webkit.org/repository/webkit/branches/chromium/874/
Patch Set: Created 9 years, 3 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « Source/WebCore/svg/SVGTRefElement.h ('k') | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 /* 1 /*
2 * Copyright (C) 2004, 2005 Nikolas Zimmermann <zimmermann@kde.org> 2 * Copyright (C) 2004, 2005 Nikolas Zimmermann <zimmermann@kde.org>
3 * Copyright (C) 2004, 2005, 2006 Rob Buis <buis@kde.org> 3 * Copyright (C) 2004, 2005, 2006 Rob Buis <buis@kde.org>
4 * Copyright (C) Research In Motion Limited 2011. All rights reserved. 4 * Copyright (C) Research In Motion Limited 2011. All rights reserved.
5 * 5 *
6 * This library is free software; you can redistribute it and/or 6 * This library is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU Library General Public 7 * modify it under the terms of the GNU Library General Public
8 * License as published by the Free Software Foundation; either 8 * License as published by the Free Software Foundation; either
9 * version 2 of the License, or (at your option) any later version. 9 * version 2 of the License, or (at your option) any later version.
10 * 10 *
(...skipping 177 matching lines...) Expand 10 before | Expand all | Expand 10 after
188 m_eventListener->removeFromTarget(); 188 m_eventListener->removeFromTarget();
189 m_eventListener = 0; 189 m_eventListener = 0;
190 } 190 }
191 String id; 191 String id;
192 Element* target = SVGURIReference::targetElementFromIRIString(href(), do cument(), &id); 192 Element* target = SVGURIReference::targetElementFromIRIString(href(), do cument(), &id);
193 if (!target) { 193 if (!target) {
194 document()->accessSVGExtensions()->addPendingResource(id, this); 194 document()->accessSVGExtensions()->addPendingResource(id, this);
195 return; 195 return;
196 } 196 }
197 updateReferencedText(); 197 updateReferencedText();
198 m_eventListener = SubtreeModificationEventListener::create(this, id); 198 if (inDocument()) {
199 ASSERT(target->parentNode()); 199 m_eventListener = SubtreeModificationEventListener::create(this, id) ;
200 target->parentNode()->addEventListener(eventNames().DOMSubtreeModifiedEv ent, m_eventListener.get(), false); 200 ASSERT(target->parentNode());
201 target->parentNode()->addEventListener(eventNames().DOMSubtreeModifi edEvent, m_eventListener.get(), false);
202 }
201 if (RenderObject* renderer = this->renderer()) 203 if (RenderObject* renderer = this->renderer())
202 RenderSVGResource::markForLayoutAndParentResourceInvalidation(render er); 204 RenderSVGResource::markForLayoutAndParentResourceInvalidation(render er);
203 return; 205 return;
204 } 206 }
205 207
206 ASSERT_NOT_REACHED(); 208 ASSERT_NOT_REACHED();
207 } 209 }
208 210
209 RenderObject* SVGTRefElement::createRenderer(RenderArena* arena, RenderStyle*) 211 RenderObject* SVGTRefElement::createRenderer(RenderArena* arena, RenderStyle*)
210 { 212 {
(...skipping 24 matching lines...) Expand all
235 { 237 {
236 updateReferencedText(); 238 updateReferencedText();
237 if (Element* target = SVGURIReference::targetElementFromIRIString(href(), do cument())) { 239 if (Element* target = SVGURIReference::targetElementFromIRIString(href(), do cument())) {
238 ASSERT(!m_eventListener); 240 ASSERT(!m_eventListener);
239 m_eventListener = SubtreeModificationEventListener::create(this, target- >getIdAttribute()); 241 m_eventListener = SubtreeModificationEventListener::create(this, target- >getIdAttribute());
240 ASSERT(target->parentNode()); 242 ASSERT(target->parentNode());
241 target->parentNode()->addEventListener(eventNames().DOMSubtreeModifiedEv ent, m_eventListener.get(), false); 243 target->parentNode()->addEventListener(eventNames().DOMSubtreeModifiedEv ent, m_eventListener.get(), false);
242 } 244 }
243 } 245 }
244 246
247 void SVGTRefElement::insertedIntoDocument()
248 {
249 SVGStyledElement::insertedIntoDocument();
250 String id;
251 Element* target = SVGURIReference::targetElementFromIRIString(href(), docume nt(), &id);
252 if (!target) {
253 document()->accessSVGExtensions()->addPendingResource(id, this);
254 return;
255 }
256 updateReferencedText();
257 m_eventListener = SubtreeModificationEventListener::create(this, id);
258 ASSERT(target->parentNode());
259 target->parentNode()->addEventListener(eventNames().DOMSubtreeModifiedEvent, m_eventListener.get(), false);
260 }
261
245 void SVGTRefElement::removedFromDocument() 262 void SVGTRefElement::removedFromDocument()
246 { 263 {
247 SVGStyledElement::removedFromDocument(); 264 SVGStyledElement::removedFromDocument();
248 265
249 if (!m_eventListener) 266 if (!m_eventListener)
250 return; 267 return;
251 268
252 m_eventListener->removeFromTarget(); 269 m_eventListener->removeFromTarget();
253 m_eventListener = 0; 270 m_eventListener = 0;
254 } 271 }
255 272
256 } 273 }
257 274
258 #endif // ENABLE(SVG) 275 #endif // ENABLE(SVG)
OLDNEW
« no previous file with comments | « Source/WebCore/svg/SVGTRefElement.h ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698