Heap-use-after-free in WebCore::HTMLConstructionSite::mergeAttributesFromTokenIntoElement
authorrafaelw@chromium.org <rafaelw@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 28 Dec 2012 16:30:31 +0000 (16:30 +0000)
committerrafaelw@chromium.org <rafaelw@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 28 Dec 2012 16:30:31 +0000 (16:30 +0000)
commitef5a4e41288c21fbce7d6851a45360d6345b141b
tree25894dc3e7dd0b0d683b0bde5eaee85d44956ba5
parentd05fa8b95a0583787154992f0a1d387e5925b222
Heap-use-after-free in WebCore::HTMLConstructionSite::mergeAttributesFromTokenIntoElement
https://bugs.webkit.org/show_bug.cgi?id=105780

Reviewed by Eric Seidel.

Source/WebCore:

This was regression was created by the HTMLTemplateElement implementation. The issue was a missed instance of
"fragment or template contents" case related to the parsing of colgroups.

* html/parser/HTMLTreeBuilder.cpp:
(WebCore::HTMLTreeBuilder::processColgroupEndTagForInColumnGroup):
(WebCore::HTMLTreeBuilder::processStartTag):
(WebCore::HTMLTreeBuilder::processCharacterBuffer):
(WebCore::HTMLTreeBuilder::processEndOfFile):

LayoutTests:

* html5lib/resources/template.dat:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@138537 268f45cc-cd09-0410-ab3c-d52691b4dbfc
LayoutTests/ChangeLog
LayoutTests/html5lib/resources/template.dat
Source/WebCore/ChangeLog
Source/WebCore/html/parser/HTMLTreeBuilder.cpp