delta/qt5/qtwebkit.git - code.qt.io: qt/qtwebkit.git

diff options

author	Allan Sandfeld Jensen <allan.jensen@digia.com>	2013-02-28 13:37:51 +0100
committer	The Qt Project <gerrit-noreply@qt-project.org>	2013-02-28 15:16:50 +0100
commit	a9f4572cc5ae46f3a286ba1b759392fea03460b9 (patch)
tree	1d75587e7ecba878100733d1c5e0dfa93595b6c6 /Source/JavaScriptCore/assembler/ARMAssembler.cpp
parent	f9a60fb1ee03cb58339b8184ee78a8d14b436ae7 (diff)
download	qtwebkit-a9f4572cc5ae46f3a286ba1b759392fea03460b9.tar.gz

[SVG] OOB access in SVGListProperty::replaceItemValues()

https://bugs.webkit.org/show_bug.cgi?id=109293 Source/WebCore: Replacing a list property item with itself should be a no-op. This patch updates the related APIs and logic to detect the self-replace case and prevent removal of the item from the list. To avoid scanning the list multiple times, removeItemFromList() is updated to operate on indices and a findItem() method is added to resolve an item to an index. Reviewed by Dirk Schulze. No new tests: updated existing tests cover the change. * svg/properties/SVGAnimatedListPropertyTearOff.h: (WebCore::SVGAnimatedListPropertyTearOff::findItem): (SVGAnimatedListPropertyTearOff): (WebCore::SVGAnimatedListPropertyTearOff::removeItemFromList): * svg/properties/SVGAnimatedPathSegListPropertyTearOff.h: (WebCore::SVGAnimatedPathSegListPropertyTearOff::findItem): (SVGAnimatedPathSegListPropertyTearOff): (WebCore::SVGAnimatedPathSegListPropertyTearOff::removeItemFromList): Add a findItem() delegating method, and update removeItemFromList() to use the new index-based API. * svg/properties/SVGListProperty.h: (WebCore::SVGListProperty::insertItemBeforeValues): (WebCore::SVGListProperty::insertItemBeforeValuesAndWrappers): (WebCore::SVGListProperty::replaceItemValues): (WebCore::SVGListProperty::replaceItemValuesAndWrappers): (SVGListProperty): Updated to handle the no-op case for insertItemBefore() & replaceItem(). * svg/properties/SVGListPropertyTearOff.h: (WebCore::SVGListPropertyTearOff::findItem): (WebCore::SVGListPropertyTearOff::removeItemFromList): Index-based API updates. (WebCore::SVGListPropertyTearOff::processIncomingListItemValue): (WebCore::SVGListPropertyTearOff::processIncomingListItemWrapper): * svg/properties/SVGPathSegListPropertyTearOff.cpp: (WebCore::SVGPathSegListPropertyTearOff::processIncomingListItemValue): Detect the self-replace case and return without removing the item from the list. * svg/properties/SVGPathSegListPropertyTearOff.h: (WebCore::SVGPathSegListPropertyTearOff::findItem): (WebCore::SVGPathSegListPropertyTearOff::removeItemFromList): (SVGPathSegListPropertyTearOff): (WebCore::SVGPathSegListPropertyTearOff::processIncomingListItemWrapper): * svg/properties/SVGStaticListPropertyTearOff.h: (WebCore::SVGStaticListPropertyTearOff::processIncomingListItemValue): (WebCore::SVGStaticListPropertyTearOff::processIncomingListItemWrapper): Index-based API updates. Change-Id: I6afa8ff964eaccd1337156af41c5ded07e3b4b7d git-svn-id: http://svn.webkit.org/repository/webkit/trunk@142759 268f45cc-cd09-0410-ab3c-d52691b4dbfc Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>

Diffstat (limited to 'Source/JavaScriptCore/assembler/ARMAssembler.cpp')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: