Changeset 58149 in webkit


Ignore:
Timestamp:
Apr 22, 2010 9:51:39 PM (14 years ago)
Author:
hamaji@chromium.org
Message:

2010-04-22 Shinichiro Hamaji <hamaji@chromium.org>

Reviewed by Darin Adler.

REGRESSION: TextIterator may use freed memory
https://bugs.webkit.org/show_bug.cgi?id=37973

  • platform/chromium/test_expectations.txt:

2010-04-22 Shinichiro Hamaji <hamaji@chromium.org>

Reviewed by Darin Adler.

REGRESSION: TextIterator may use freed memory
https://bugs.webkit.org/show_bug.cgi?id=37973

Added TextIterator::m_text to hold the returned String.

No new tests because there are no behavior change, but
copy-backslash-with-euc.html on chromium-win should test this.

  • editing/TextIterator.cpp: (WebCore::TextIterator::emitText):
  • editing/TextIterator.h:
Location:
trunk
Files:
5 edited

Legend:

Unmodified
Added
Removed
  • trunk/LayoutTests/ChangeLog

    r58137 r58149  
     12010-04-22  Shinichiro Hamaji  <hamaji@chromium.org>
     2
     3        Reviewed by Darin Adler.
     4
     5        REGRESSION: TextIterator may use freed memory
     6        https://bugs.webkit.org/show_bug.cgi?id=37973
     7
     8        * platform/chromium/test_expectations.txt:
     9
    1102010-04-22  Yuzo Fujishima  <yuzo@google.com>
    211
  • trunk/LayoutTests/platform/chromium/test_expectations.txt

    r58137 r58149  
    27482748BUGJAMESR BUG30048 BUG29737 : svg/filters/shadow-on-rect-with-filter.svg = IMAGE
    27492749
    2750 // Broke at r57940
    2751 BUGWK37907 WIN : editing/pasteboard/copy-backslash-with-euc.html = FAIL
    2752 
    27532750// New layoutTestController function added at r57986
    27542751BUGJAMESR : fast/lists/ol-nested-items-dynamic-insert.html = TEXT
  • trunk/WebCore/ChangeLog

    r58145 r58149  
     12010-04-22  Shinichiro Hamaji  <hamaji@chromium.org>
     2
     3        Reviewed by Darin Adler.
     4
     5        REGRESSION: TextIterator may use freed memory
     6        https://bugs.webkit.org/show_bug.cgi?id=37973
     7
     8        Added TextIterator::m_text to hold the returned String.
     9
     10        No new tests because there are no behavior change, but
     11        copy-backslash-with-euc.html on chromium-win should test this.
     12
     13        * editing/TextIterator.cpp:
     14        (WebCore::TextIterator::emitText):
     15        * editing/TextIterator.h:
     16
    1172010-04-22  Michael Forney  <mforney@mforney.org>
    218
  • trunk/WebCore/editing/TextIterator.cpp

    r58040 r58149  
    892892{
    893893    RenderText* renderer = toRenderText(m_node->renderer());
    894     String str = m_emitsTextWithoutTranscoding ? renderer->textWithoutTranscoding() : renderer->text();
    895     ASSERT(str.characters());
     894    m_text = m_emitsTextWithoutTranscoding ? renderer->textWithoutTranscoding() : renderer->text();
     895    ASSERT(m_text.characters());
    896896
    897897    m_positionNode = textNode;
     
    899899    m_positionStartOffset = textStartOffset;
    900900    m_positionEndOffset = textEndOffset;
    901     m_textCharacters = str.characters() + textStartOffset;
     901    m_textCharacters = m_text.characters() + textStartOffset;
    902902    m_textLength = textEndOffset - textStartOffset;
    903     m_lastCharacter = str[textEndOffset - 1];
     903    m_lastCharacter = m_text[textEndOffset - 1];
    904904
    905905    m_lastTextNodeEndedWithCollapsedSpace = false;
  • trunk/WebCore/editing/TextIterator.h

    r58040 r58149  
    128128    const UChar* m_textCharacters;
    129129    int m_textLength;
    130    
     130    // Hold string m_textCharacters points to so we ensure it won't be deleted.
     131    String m_text;
     132
    131133    // Used when there is still some pending text from the current node; when these
    132134    // are false and 0, we go back to normal iterating.
Note: See TracChangeset for help on using the changeset viewer.