WebCore:
authorweinig@apple.com <weinig@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sat, 10 May 2008 04:44:05 +0000 (04:44 +0000)
committerweinig@apple.com <weinig@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sat, 10 May 2008 04:44:05 +0000 (04:44 +0000)
2008-05-09  Sam Weinig  <sam@webkit.org>

        Reviewed by Mark Rowe.

        Fix for https://bugs.webkit.org/show_bug.cgi?id=18958
        NULL pointer dereference in NamedAttrMap::setNamedItem

        Test: fast/dom/NamedNodeMap-setNamedItem-crash.html

        * dom/NamedAttrMap.cpp:
        (WebCore::NamedAttrMap::setNamedItem): Null check the argument.

LayoutTests:

2008-05-09  Sam Weinig  <sam@webkit.org>

        Reviewed by Mark Rowe.

        Test for https://bugs.webkit.org/show_bug.cgi?id=18958
        NULL pointer dereference in NamedAttrMap::setNamedItem

        * fast/dom/NamedNodeMap-setNamedItem-crash-expected.txt: Added.
        * fast/dom/NamedNodeMap-setNamedItem-crash.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@33023 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/fast/dom/NamedNodeMap-setNamedItem-crash-expected.txt [new file with mode: 0644]
LayoutTests/fast/dom/NamedNodeMap-setNamedItem-crash.html [new file with mode: 0644]
WebCore/ChangeLog
WebCore/dom/NamedAttrMap.cpp

index 56e8f4a..af09937 100644 (file)
@@ -1,3 +1,13 @@
+2008-05-09  Sam Weinig  <sam@webkit.org>
+
+        Reviewed by Mark Rowe.
+
+        Test for https://bugs.webkit.org/show_bug.cgi?id=18958
+        NULL pointer dereference in NamedAttrMap::setNamedItem
+
+        * fast/dom/NamedNodeMap-setNamedItem-crash-expected.txt: Added.
+        * fast/dom/NamedNodeMap-setNamedItem-crash.html: Added.
+
 2008-05-09  Adam Barth  <abarth-webkit@adambarth.com>
 
         Reviewed by Sam Weinig.
diff --git a/LayoutTests/fast/dom/NamedNodeMap-setNamedItem-crash-expected.txt b/LayoutTests/fast/dom/NamedNodeMap-setNamedItem-crash-expected.txt
new file mode 100644 (file)
index 0000000..0cab08c
--- /dev/null
@@ -0,0 +1,2 @@
+CONSOLE MESSAGE: line 7: NOT_FOUND_ERR: DOM Exception 8
+This passes if it does not crash. (see https://bugs.webkit.org/show_bug.cgi?id=18958)
diff --git a/LayoutTests/fast/dom/NamedNodeMap-setNamedItem-crash.html b/LayoutTests/fast/dom/NamedNodeMap-setNamedItem-crash.html
new file mode 100644 (file)
index 0000000..0efda6f
--- /dev/null
@@ -0,0 +1,10 @@
+<script>
+    if (window.layoutTestController)
+        layoutTestController.dumpAsText();
+
+    onload = function()
+    {
+        document.body.attributes.setNamedItem(null);
+    }
+</script>
+This passes if it does not crash.  (see https://bugs.webkit.org/show_bug.cgi?id=18958)
index 76b1e3b..6871686 100644 (file)
@@ -1,3 +1,15 @@
+2008-05-09  Sam Weinig  <sam@webkit.org>
+
+        Reviewed by Mark Rowe.
+
+        Fix for https://bugs.webkit.org/show_bug.cgi?id=18958
+        NULL pointer dereference in NamedAttrMap::setNamedItem
+
+        Test: fast/dom/NamedNodeMap-setNamedItem-crash.html
+
+        * dom/NamedAttrMap.cpp:
+        (WebCore::NamedAttrMap::setNamedItem): Null check the argument.
+
 2008-05-09  Kevin McCullough  <kmccullough@apple.com>
 
         Build fix.
index 9152936..67b8482 100644 (file)
@@ -92,7 +92,7 @@ PassRefPtr<Node> NamedAttrMap::getNamedItem(const QualifiedName& name) const
 
 PassRefPtr<Node> NamedAttrMap::setNamedItem(Node* arg, ExceptionCode& ec)
 {
-    if (!m_element) {
+    if (!m_element || !arg) {
         ec = NOT_FOUND_ERR;
         return 0;
     }