Commit 7e9bb4ce authored by rniwa@webkit.org's avatar rniwa@webkit.org

Use-after-free in ApplyStyleCommand::removeInlineStyle

https://bugs.webkit.org/show_bug.cgi?id=118627

Reviewed by Oliver Hunt.
        
Merge https://chromium.googlesource.com/chromium/blink/+/b6471d077e012b05ccba14d0ce8e6d616106c8e6

Unfortunately, there is no test case for this bug.

* editing/ApplyStyleCommand.cpp:
(WebCore::ApplyStyleCommand::removeInlineStyle):


git-svn-id: http://svn.webkit.org/repository/webkit/trunk@153102 268f45cc-cd09-0410-ab3c-d52691b4dbfc
parent 32a3ed38
2013-07-24 Ryosuke Niwa <rniwa@webkit.org>
Use-after-free in ApplyStyleCommand::removeInlineStyle
https://bugs.webkit.org/show_bug.cgi?id=118627
Reviewed by Oliver Hunt.
Merge https://chromium.googlesource.com/chromium/blink/+/b6471d077e012b05ccba14d0ce8e6d616106c8e6
Unfortunately, there is no test case for this bug.
* editing/ApplyStyleCommand.cpp:
(WebCore::ApplyStyleCommand::removeInlineStyle):
2013-07-24 Zan Dobersek <zdobersek@igalia.com>
Remove CheckedInt, use Checked<T, RecordOverflow> instead
......@@ -1109,16 +1109,17 @@ void ApplyStyleCommand::removeInlineStyle(EditingStyle* style, const Position &s
Position s = start.isNull() || start.isOrphan() ? pushDownStart : start;
Position e = end.isNull() || end.isOrphan() ? pushDownEnd : end;
Node* node = start.deprecatedNode();
RefPtr<Node> node = start.deprecatedNode();
while (node) {
RefPtr<Node> next;
if (editingIgnoresContent(node)) {
if (editingIgnoresContent(node.get())) {
ASSERT(node == end.deprecatedNode() || !node->contains(end.deprecatedNode()));
next = NodeTraversal::nextSkippingChildren(node);
next = NodeTraversal::nextSkippingChildren(node.get());
} else
next = NodeTraversal::next(node);
if (node->isHTMLElement() && nodeFullySelected(node, start, end)) {
RefPtr<HTMLElement> elem = toHTMLElement(node);
next = NodeTraversal::next(node.get());
if (node->isHTMLElement() && nodeFullySelected(node.get(), start, end)) {
RefPtr<HTMLElement> elem = toHTMLElement(node.get());
RefPtr<Node> prev = NodeTraversal::previousPostOrder(elem.get());
RefPtr<Node> next = NodeTraversal::next(elem.get());
RefPtr<EditingStyle> styleToPushDown;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment