-
hmuller@adobe.com authored
https://bugs.webkit.org/show_bug.cgi?id=120802 Reviewed by Darin Adler. Source/WebCore: Revised the implementation of subtractShapeIntervals() to isloate and check the places where it dereferences ShapeInterval vector iterators. Test: fast/shapes/shape-inside/shape-inside-subtract-intervals-crash.html * rendering/shapes/ShapeInterval.h: (WebCore::ShapeInterval::subtractShapeIntervals): LayoutTests: Added a test case that crashed a bounds-checking runtime prior to this fix. * fast/shapes/shape-inside/shape-inside-subtract-intervals-crash-expected.html: Added. * fast/shapes/shape-inside/shape-inside-subtract-intervals-crash.html: Added. git-svn-id: http://svn.webkit.org/repository/webkit/trunk@155354 268f45cc-cd09-0410-ab3c-d52691b4dbfc
bad79a9e