commit 50a2ce7effb9f15557eb17d94b75dd71c4d8fec2
author inferno@chromium.org <inferno@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc> Thu Mar 01 18:19:03 2012 +0000
committer inferno@chromium.org <inferno@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc> Thu Mar 01 18:19:03 2012 +0000
tree a1cfd9fba6e9841f9dd596af442289a5e59955df
parent a4afd531073edca626e9c865005d59e35be1537f

Protect functions using two container node function, each of which can fire mutation events.
https://bugs.webkit.org/show_bug.cgi?id=78397

Reviewed by Ryosuke Niwa.

Source/WebCore:

Tests: fast/dom/document-set-title-mutation-crash.html
       fast/dom/option-text-mutation-crash.html

* dom/Node.cpp:
(WebCore::Node::setTextContent):
* dom/Text.cpp:
(WebCore::Text::replaceWholeText):
* editing/markup.cpp:
(WebCore::trimFragment):
(WebCore::replaceChildrenWithFragment):
(WebCore::replaceChildrenWithText):
* html/HTMLOptionElement.cpp:
(WebCore::HTMLOptionElement::setText):
* html/HTMLScriptElement.cpp:
(WebCore::HTMLScriptElement::setText):
* html/HTMLTableElement.cpp:
(WebCore::HTMLTableElement::insertRow):
* html/HTMLTextAreaElement.cpp:
(WebCore::HTMLTextAreaElement::setDefaultValue):
* html/HTMLTitleElement.cpp:
(WebCore::HTMLTitleElement::setText):

LayoutTests:

* fast/dom/document-set-title-mutation-crash-expected.txt: Added.
* fast/dom/document-set-title-mutation-crash.html: Added.
* fast/dom/option-text-mutation-crash-expected.txt: Added.
* fast/dom/option-text-mutation-crash.html: Added.

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@109362 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/WebCore/html/HTMLTableElement.cpp

diff --git a/Source/WebCore/html/HTMLTableElement.cpp b/Source/WebCore/html/HTMLTableElement.cpp
index d85b985..cf64b37 100644
--- a/Source/WebCore/html/HTMLTableElement.cpp
+++ b/Source/WebCore/html/HTMLTableElement.cpp
@@ -187,13 +187,15 @@
         return 0;
     }
 
-    HTMLTableRowElement* lastRow = 0;
-    HTMLTableRowElement* row = 0;
+    RefPtr<Node> protectFromMutationEvents(this);
+
+    RefPtr<HTMLTableRowElement> lastRow = 0;
+    RefPtr<HTMLTableRowElement> row = 0;
     if (index == -1)
         lastRow = HTMLTableRowsCollection::lastRow(this);
     else {
         for (int i = 0; i <= index; ++i) {
-            row = HTMLTableRowsCollection::rowAfter(this, lastRow);
+            row = HTMLTableRowsCollection::rowAfter(this, lastRow.get());
             if (!row) {
                 if (i != index) {
                     ec = INDEX_SIZE_ERR;
@@ -205,7 +207,7 @@
         }
     }
 
-    ContainerNode* parent;
+    RefPtr<ContainerNode> parent;
     if (lastRow)
         parent = row ? row->parentNode() : lastRow->parentNode();
     else {
@@ -220,7 +222,7 @@
     }
 
     RefPtr<HTMLTableRowElement> newRow = HTMLTableRowElement::create(document());
-    parent->insertBefore(newRow, row, ec);
+    parent->insertBefore(newRow, row.get(), ec);
     return newRow.release();
 }