Crash in FormSubmission::create.

https://bugs.webkit.org/show_bug.cgi?id=77813

Reviewed by Kent Tamura.

Source/WebCore:

Test: fast/forms/form-submission-create-crash.xhtml

* loader/FormSubmission.cpp:
(WebCore::FormSubmission::create):

LayoutTests:

* fast/forms/form-submission-create-crash-expected.txt: Added.
* fast/forms/form-submission-create-crash.xhtml: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@106771 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index 02155f9..9a1bf73 100644 (file)
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,13 @@
+2012-02-05  Abhishek Arya  <inferno@chromium.org>
+
+        Crash in FormSubmission::create.
+        https://bugs.webkit.org/show_bug.cgi?id=77813
+
+        Reviewed by Kent Tamura.
+
+        * fast/forms/form-submission-create-crash-expected.txt: Added.
+        * fast/forms/form-submission-create-crash.xhtml: Added.
+
 2012-02-05  Adam Barth  <abarth@webkit.org>
 
         Rebaseline xss-inactive-closure.html.  This test "fails" because of a

diff --git a/LayoutTests/fast/forms/form-submission-create-crash-expected.txt b/LayoutTests/fast/forms/form-submission-create-crash-expected.txt
new file mode 100644 (file)
index 0000000..1042c76
--- /dev/null
+++ b/LayoutTests/fast/forms/form-submission-create-crash-expected.txt
@@ -0,0 +1,2 @@
+Test passes if it does not crash.
+

diff --git a/LayoutTests/fast/forms/form-submission-create-crash.xhtml b/LayoutTests/fast/forms/form-submission-create-crash.xhtml
new file mode 100644 (file)
index 0000000..5947a2f
--- /dev/null
+++ b/LayoutTests/fast/forms/form-submission-create-crash.xhtml
@@ -0,0 +1,25 @@
+<html xmlns='http://www.w3.org/1999/xhtml'>
+Test passes if it does not crash.
+<form>
+<input id="submit" type="submit" />
+</form>
+<script>
+if (window.layoutTestController) {
+    layoutTestController.dumpAsText();
+    layoutTestController.waitUntilDone();
+}
+
+textNode = document.createTextNode("x");
+document.getElementById("submit").appendChild(textNode);
+
+runTest = function() {
+    event = document.createEvent("MouseEvent");
+    event.initEvent("click");
+    textNode.dispatchEvent(event);
+    if (window.layoutTestController)
+        layoutTestController.notifyDone();
+}
+
+setTimeout(runTest, 0);
+</script>
+</html>

diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog
index 9469fd5..eace42d 100644 (file)
--- a/Source/WebCore/ChangeLog
+++ b/Source/WebCore/ChangeLog
@@ -1,3 +1,15 @@
+2012-02-05  Abhishek Arya  <inferno@chromium.org>
+
+        Crash in FormSubmission::create.
+        https://bugs.webkit.org/show_bug.cgi?id=77813
+
+        Reviewed by Kent Tamura.
+
+        Test: fast/forms/form-submission-create-crash.xhtml
+
+        * loader/FormSubmission.cpp:
+        (WebCore::FormSubmission::create):
+
 2012-02-05  Andreas Kling  <awesomekling@apple.com>
 
         Remove unused file MappedAttributeEntry.h.

diff --git a/Source/WebCore/loader/FormSubmission.cpp b/Source/WebCore/loader/FormSubmission.cpp
index b121f98..0cab710 100644 (file)
--- a/Source/WebCore/loader/FormSubmission.cpp
+++ b/Source/WebCore/loader/FormSubmission.cpp
@@ -142,8 +142,11 @@ PassRefPtr<FormSubmission> FormSubmission::create(HTMLFormElement* form, const A
     ASSERT(form);
 
     HTMLFormControlElement* submitButton = 0;
-    if (event && event->target() && event->target()->toNode())
-        submitButton = static_cast<HTMLFormControlElement*>(event->target()->toNode());
+    if (event && event->target()) {
+        Node* node = event->target()->toNode();
+        if (node && node->isElementNode() && toElement(node)->isFormControlElement())
+            submitButton = static_cast<HTMLFormControlElement*>(node);
+    }
 
     FormSubmission::Attributes copiedAttributes;
     copiedAttributes.copyFrom(attributes);