-
abarth@webkit.org authored
Reviewed by Sam Weinig. OOB read with svg polyline https://bugs.webkit.org/show_bug.cgi?id=45279 In principle, attributeChanged can do anything. If we supported more DOM mutation events, it could even run JavaScript. That means we need to be prepared for the attribute map to change when running attributeChanged. This patch makes this loop resilient to the attribute map changing by storing the list of changed attributes on the stack. Test: fast/parser/changing-attrbutes-crash.html * dom/Element.cpp: (WebCore::Element::setAttributeMap): 2010-09-06 Adam Barth <abarth@webkit.org> Reviewed by Sam Weinig. OOB read with svg polyline https://bugs.webkit.org/show_bug.cgi?id=45279 Test what happens when SVG changes the attribute map out from under us. * fast/parser/changing-attrbutes-crash-expected.txt: Added. * fast/parser/changing-attrbutes-crash.html: Added. git-svn-id: http://svn.webkit.org/repository/webkit/trunk@66862 268f45cc-cd09-0410-ab3c-d52691b4dbfceaa3d7e9
