Google Git
Sign in
webkit / WebKit / 23cb427ade6192348aab9d48d16f57829d0b5a1c
commit23cb427ade6192348aab9d48d16f57829d0b5a1c[log] [tgz]
authorakling@apple.com <akling@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>Tue Dec 11 20:46:56 2012 +0000
committerakling@apple.com <akling@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>Tue Dec 11 20:46:56 2012 +0000
treeb7e3c02166e0a79e5a9cfa4cc463f2c11eee08af
parent68b135d7b3cebd212e6d9fa88593e8e98edc40fc [diff]
REGRESSION(r133492): Heap-use-after-free in WebCore::Element::normalizeAttributes
<http://webkit.org/b/104488>

Reviewed by Antti Koivisto.

Source/WebCore:

Don't cache the AttrNodeList* in a local when iterating over an Element's Attr nodes since
that pointer may go stale if JS runs in response to a DOMSubtreeModified event below Node::normalize().

Test: fast/dom/normalize-attributes-mutation-event-crash.html

* dom/Element.cpp:
(WebCore::Element::normalizeAttributes):

LayoutTests:

* fast/dom/normalize-attributes-mutation-event-crash-expected.txt: Added.
* fast/dom/normalize-attributes-mutation-event-crash.html: Added.


git-svn-id: http://svn.webkit.org/repository/webkit/trunk@137341 268f45cc-cd09-0410-ab3c-d52691b4dbfc
5 files changed
tree: b7e3c02166e0a79e5a9cfa4cc463f2c11eee08af
  1. Examples/
  2. LayoutTests/
  3. ManualTests/
  4. PerformanceTests/
  5. Source/
  6. Tools/
  7. WebKit.xcworkspace/
  8. WebKitLibraries/
  9. Websites/
  10. .dir-locals.el
  11. .gitattributes
  12. .gitignore
  13. .qmake.conf
  14. autogen.sh
  15. ChangeLog
  16. ChangeLog-2012-05-22
  17. CMakeLists.txt
  18. configure.ac
  19. GNUmakefile.am
  20. Makefile
  21. Makefile.shared
  22. WebKit.pro
  23. wscript