Changeset 49788 in webkit
- Timestamp:
- Oct 19, 2009 9:18:19 AM (14 years ago)
- Location:
- trunk/WebCore
- Files:
-
- 2 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/WebCore/ChangeLog
r49787 r49788 1 2009-10-19 Dimitri Glazkov <dglazkov@chromium.org> 2 3 Reviewed by Darin Adler. 4 5 Fix hard-to-reproduce crash in HTMLTokenizer by avoiding a rare 6 fastRealloc edge case. 7 https://bugs.webkit.org/show_bug.cgi?id=29313 8 9 No test, the crash shows up occasionally in crash dumps, we weren't able 10 to reproduce it locally. 11 12 * html/HTMLTokenizer.cpp: 13 (WebCore::HTMLTokenizer::enlargeScriptBuffer): Added an early exit to 14 avoid calling fastRealloc with the size of 0. 15 1 16 2009-10-19 Andrew Scherkus <scherkus@chromium.org> 2 17 -
trunk/WebCore/html/HTMLTokenizer.cpp
r49394 r49788 1987 1987 1988 1988 int newSize = m_scriptCodeCapacity + delta; 1989 // If we allow fastRealloc(ptr, 0), it will call CRASH(). We run into this 1990 // case if the HTML being parsed begins with "<!--" and there's more data 1991 // coming. 1992 if (!newSize) { 1993 ASSERT(!m_scriptCode); 1994 return; 1995 } 1996 1989 1997 m_scriptCode = static_cast<UChar*>(fastRealloc(m_scriptCode, newSize * sizeof(UChar))); 1990 1998 m_scriptCodeCapacity = newSize;
Note: See TracChangeset
for help on using the changeset viewer.