Source/WebCore/svg/SVGTRefElement.cpp - Issue 8046025: Merge 95791 - use after free in WebCore::SVGTRefElement::updateReferencedText

Side by Side Diff: Source/WebCore/svg/SVGTRefElement.cpp

Issue 8046025: Merge 95791 - use after free in WebCore::SVGTRefElement::updateReferencedText (Closed) Base URL: http://svn.webkit.org/repository/webkit/branches/chromium/835/

Patch Set: Created 9 years, 2 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

OLD	NEW
1 /*	1 /*

2 * Copyright (C) 2004, 2005 Nikolas Zimmermann <zimmermann@kde.org>	2 * Copyright (C) 2004, 2005 Nikolas Zimmermann <zimmermann@kde.org>

3 * Copyright (C) 2004, 2005, 2006 Rob Buis <buis@kde.org>	3 * Copyright (C) 2004, 2005, 2006 Rob Buis <buis@kde.org>

4 * Copyright (C) Research In Motion Limited 2011. All rights reserved.	4 * Copyright (C) Research In Motion Limited 2011. All rights reserved.

5 *	5 *

6 * This library is free software; you can redistribute it and/or	6 * This library is free software; you can redistribute it and/or

7 * modify it under the terms of the GNU Library General Public	7 * modify it under the terms of the GNU Library General Public

8 * License as published by the Free Software Foundation; either	8 * License as published by the Free Software Foundation; either

9 * version 2 of the License, or (at your option) any later version.	9 * version 2 of the License, or (at your option) any later version.

10 *	10 *

(...skipping 175 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
186 m_eventListener->removeFromTarget();	186 m_eventListener->removeFromTarget();

187 m_eventListener = 0;	187 m_eventListener = 0;

188 }	188 }

189 String id = SVGURIReference::getTarget(href());	189 String id = SVGURIReference::getTarget(href());

190 Element* target = treeScope()->getElementById(id);	190 Element* target = treeScope()->getElementById(id);

191 if (!target) {	191 if (!target) {

192 document()->accessSVGExtensions()->addPendingResource(id, this);	192 document()->accessSVGExtensions()->addPendingResource(id, this);

193 return;	193 return;

194 }	194 }

195 updateReferencedText();	195 updateReferencedText();

196 m_eventListener = SubtreeModificationEventListener::create(this, id);	196 if (inDocument()) {

197 ASSERT(target->parentNode());	197 m_eventListener = SubtreeModificationEventListener::create(this, id) ;

198 target->parentNode()->addEventListener(eventNames().DOMSubtreeModifiedEv ent, m_eventListener.get(), false);	198 ASSERT(target->parentNode());

	199 target->parentNode()->addEventListener(eventNames().DOMSubtreeModifi edEvent, m_eventListener.get(), false);

	200 }

199 if (RenderObject* renderer = this->renderer())	201 if (RenderObject* renderer = this->renderer())

200 RenderSVGResource::markForLayoutAndParentResourceInvalidation(render er);	202 RenderSVGResource::markForLayoutAndParentResourceInvalidation(render er);

201 return;	203 return;

202 }	204 }

203	205

204 ASSERT_NOT_REACHED();	206 ASSERT_NOT_REACHED();

205 }	207 }

206	208

207 RenderObject* SVGTRefElement::createRenderer(RenderArena* arena, RenderStyle*)	209 RenderObject* SVGTRefElement::createRenderer(RenderArena* arena, RenderStyle*)

208 {	210 {

(...skipping 25 matching lines...) Expand all Loading...
234 updateReferencedText();	236 updateReferencedText();

235 String id = SVGURIReference::getTarget(href());	237 String id = SVGURIReference::getTarget(href());

236 if (Element* target = treeScope()->getElementById(id)) {	238 if (Element* target = treeScope()->getElementById(id)) {

237 ASSERT(!m_eventListener);	239 ASSERT(!m_eventListener);

238 m_eventListener = SubtreeModificationEventListener::create(this, id);	240 m_eventListener = SubtreeModificationEventListener::create(this, id);

239 ASSERT(target->parentNode());	241 ASSERT(target->parentNode());

240 target->parentNode()->addEventListener(eventNames().DOMSubtreeModifiedEv ent, m_eventListener.get(), false);	242 target->parentNode()->addEventListener(eventNames().DOMSubtreeModifiedEv ent, m_eventListener.get(), false);

241 }	243 }

242 }	244 }

243	245

	246 void SVGTRefElement::insertedIntoDocument()

	247 {

	248 SVGStyledElement::insertedIntoDocument();

	249 String id;

	250 Element* target = SVGURIReference::targetElementFromIRIString(href(), docume nt(), &id);

	251 if (!target) {

	252 document()->accessSVGExtensions()->addPendingResource(id, this);

	253 return;

	254 }

	255 updateReferencedText();

	256 m_eventListener = SubtreeModificationEventListener::create(this, id);

	257 ASSERT(target->parentNode());

	258 target->parentNode()->addEventListener(eventNames().DOMSubtreeModifiedEvent, m_eventListener.get(), false);

	259 }

	260

244 void SVGTRefElement::removedFromDocument()	261 void SVGTRefElement::removedFromDocument()

245 {	262 {

246 SVGStyledElement::removedFromDocument();	263 SVGStyledElement::removedFromDocument();

247	264

248 if (!m_eventListener)	265 if (!m_eventListener)

249 return;	266 return;

250	267

251 m_eventListener->removeFromTarget();	268 m_eventListener->removeFromTarget();

252 m_eventListener = 0;	269 m_eventListener = 0;

253 }	270 }

254	271

255 }	272 }

256	273

257 #endif // ENABLE(SVG)	274 #endif // ENABLE(SVG)

OLD	NEW

« no previous file with comments | « Source/WebCore/svg/SVGTRefElement.h ('k') | no next file » | no next file with comments »