Commit 6f9ee4d9 authored by rniwa@webkit.org's avatar rniwa@webkit.org

Use-after-free in CompositeEditCommand::cloneParagraphUnderNewElement

https://bugs.webkit.org/show_bug.cgi?id=114911

Reviewed by Oliver Hunt.

Back ported https://src.chromium.org/viewvc/blink?revision=148680&view=revision.

* editing/CompositeEditCommand.cpp:
(WebCore::CompositeEditCommand::cloneParagraphUnderNewElement):


git-svn-id: http://svn.webkit.org/repository/webkit/trunk@148908 268f45cc-cd09-0410-ab3c-d52691b4dbfc
parent bdddf9e1
2013-04-22 Ryosuke Niwa <rniwa@webkit.org>
Use-after-free in CompositeEditCommand::cloneParagraphUnderNewElement
https://bugs.webkit.org/show_bug.cgi?id=114911
Reviewed by Oliver Hunt.
Back ported https://src.chromium.org/viewvc/blink?revision=148680&view=revision.
* editing/CompositeEditCommand.cpp:
(WebCore::CompositeEditCommand::cloneParagraphUnderNewElement):
2013-04-22 Eric Carlson <eric.carlson@apple.com>
[Mac] "automatic" track selection should only select a track that matches user language
......@@ -1037,8 +1037,8 @@ void CompositeEditCommand::cloneParagraphUnderNewElement(Position& start, Positi
outerNode = outerNode->parentNode();
}
Node* startNode = start.deprecatedNode();
for (Node* node = NodeTraversal::nextSkippingChildren(startNode, outerNode.get()); node; node = NodeTraversal::nextSkippingChildren(node, outerNode.get())) {
RefPtr<Node> startNode = start.deprecatedNode();
for (RefPtr<Node> node = NodeTraversal::nextSkippingChildren(startNode.get(), outerNode.get()); node; node = NodeTraversal::nextSkippingChildren(node.get(), outerNode.get())) {
// Move lastNode up in the tree as much as node was moved up in the
// tree by NodeTraversal::nextSkippingChildren, so that the relative depth between
// node and the original start node is maintained in the clone.
......@@ -1050,7 +1050,7 @@ void CompositeEditCommand::cloneParagraphUnderNewElement(Position& start, Positi
RefPtr<Node> clonedNode = node->cloneNode(true);
insertNodeAfter(clonedNode, lastNode);
lastNode = clonedNode.release();
if (node == end.deprecatedNode() || end.deprecatedNode()->isDescendantOf(node))
if (node == end.deprecatedNode() || end.deprecatedNode()->isDescendantOf(node.get()))
break;
}
}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment