diff options
Diffstat (limited to 'Source')
| -rw-r--r-- | Source/WebCore/ChangeLog | 19 | ||||
| -rw-r--r-- | Source/WebCore/editing/InsertParagraphSeparatorCommand.cpp | 8 | ||||
| -rw-r--r-- | Source/WebCore/editing/InsertParagraphSeparatorCommand.h | 4 |
3 files changed, 25 insertions, 6 deletions
diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog index 556a5c049..93b2b4378 100644 --- a/Source/WebCore/ChangeLog +++ b/Source/WebCore/ChangeLog @@ -1,3 +1,22 @@ +2013-01-02 Abhishek Arya <inferno@chromium.org> + + Crash in WebCore::Element::cloneElementWithoutChildren. + https://bugs.webkit.org/show_bug.cgi?id=105949 + + Reviewed by Ryosuke Niwa. + + RefPtr |ancestors| vector since its elements can be destroyed from mutation events + fired in CompositeEditCommand::appendNode. + + No new tests. The testcase relies on recursive DOM mutations and does not minimize. + + * editing/InsertParagraphSeparatorCommand.cpp: + (WebCore::InsertParagraphSeparatorCommand::getAncestorsInsideBlock): + (WebCore::InsertParagraphSeparatorCommand::cloneHierarchyUnderNewBlock): + (WebCore::InsertParagraphSeparatorCommand::doApply): + * editing/InsertParagraphSeparatorCommand.h: + (InsertParagraphSeparatorCommand): + 2013-01-04 Abhishek Arya <inferno@chromium.org> Heap-use-after-free in WebCore::XMLDocumentParser::doEnd diff --git a/Source/WebCore/editing/InsertParagraphSeparatorCommand.cpp b/Source/WebCore/editing/InsertParagraphSeparatorCommand.cpp index 268fa6793..72a729a84 100644 --- a/Source/WebCore/editing/InsertParagraphSeparatorCommand.cpp +++ b/Source/WebCore/editing/InsertParagraphSeparatorCommand.cpp @@ -119,7 +119,7 @@ bool InsertParagraphSeparatorCommand::shouldUseDefaultParagraphElement(Node* enc enclosingBlock->hasTagName(h5Tag); } -void InsertParagraphSeparatorCommand::getAncestorsInsideBlock(const Node* insertionNode, Element* outerBlock, Vector<Element*>& ancestors) +void InsertParagraphSeparatorCommand::getAncestorsInsideBlock(const Node* insertionNode, Element* outerBlock, Vector<RefPtr<Element> >& ancestors) { ancestors.clear(); @@ -130,7 +130,7 @@ void InsertParagraphSeparatorCommand::getAncestorsInsideBlock(const Node* insert } } -PassRefPtr<Element> InsertParagraphSeparatorCommand::cloneHierarchyUnderNewBlock(const Vector<Element*>& ancestors, PassRefPtr<Element> blockToInsert) +PassRefPtr<Element> InsertParagraphSeparatorCommand::cloneHierarchyUnderNewBlock(const Vector<RefPtr<Element> >& ancestors, PassRefPtr<Element> blockToInsert) { // Make clones of ancestors in between the start node and the start block. RefPtr<Element> parent = blockToInsert; @@ -239,7 +239,7 @@ void InsertParagraphSeparatorCommand::doApply() // Recreate the same structure in the new paragraph. - Vector<Element*> ancestors; + Vector<RefPtr<Element> > ancestors; getAncestorsInsideBlock(positionOutsideTabSpan(insertionPosition).deprecatedNode(), startBlock.get(), ancestors); RefPtr<Element> parent = cloneHierarchyUnderNewBlock(ancestors, blockToInsert); @@ -278,7 +278,7 @@ void InsertParagraphSeparatorCommand::doApply() // Recreate the same structure in the new paragraph. - Vector<Element*> ancestors; + Vector<RefPtr<Element> > ancestors; getAncestorsInsideBlock(positionAvoidingSpecialElementBoundary(positionOutsideTabSpan(insertionPosition)).deprecatedNode(), startBlock.get(), ancestors); appendBlockPlaceholder(cloneHierarchyUnderNewBlock(ancestors, blockToInsert)); diff --git a/Source/WebCore/editing/InsertParagraphSeparatorCommand.h b/Source/WebCore/editing/InsertParagraphSeparatorCommand.h index 9f7210824..11e14d5a8 100644 --- a/Source/WebCore/editing/InsertParagraphSeparatorCommand.h +++ b/Source/WebCore/editing/InsertParagraphSeparatorCommand.h @@ -46,8 +46,8 @@ private: void calculateStyleBeforeInsertion(const Position&); void applyStyleAfterInsertion(Node* originalEnclosingBlock); - void getAncestorsInsideBlock(const Node* insertionNode, Element* outerBlock, Vector<Element*>& ancestors); - PassRefPtr<Element> cloneHierarchyUnderNewBlock(const Vector<Element*>& ancestors, PassRefPtr<Element> blockToInsert); + void getAncestorsInsideBlock(const Node* insertionNode, Element* outerBlock, Vector<RefPtr<Element> >& ancestors); + PassRefPtr<Element> cloneHierarchyUnderNewBlock(const Vector<RefPtr<Element> >& ancestors, PassRefPtr<Element> blockToInsert); bool shouldUseDefaultParagraphElement(Node*) const; |