<rdar://problem/8107855> Prevent a crash in WebCore when removing an
authoraestes@apple.com <aestes@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 23 Jun 2010 20:03:40 +0000 (20:03 +0000)
committeraestes@apple.com <aestes@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 23 Jun 2010 20:03:40 +0000 (20:03 +0000)
commit047a5450230041caf35397761f87649edc3a2e17
tree40bc0f466799c5aea6fbc31cc933f1a2c9a10f9d
parent6585d016c13ff296bc3714dd5acf827e2d40dc25
<rdar://problem/8107855> Prevent a crash in WebCore when removing an
object element with an invalid data URL in in a listener to its
beforeload event.
https://bugs.webkit.org/show_bug.cgi?id=41054

Reviewed by Alexey Proskuryakov.

Tests: fast/dom/beforeload/remove-bad-object-in-beforeload-listener.html

* html/HTMLObjectElement.cpp:
(WebCore::HTMLObjectElement::renderFallbackContent): Exit early if the
object element is not in the document.
* rendering/RenderEmbeddedObject.cpp:
(WebCore::RenderEmbeddedObject::updateWidget): If RenderWidget::destroy()
was called during processing of onbeforeload, do not proceed with loading
the object.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@61707 268f45cc-cd09-0410-ab3c-d52691b4dbfc
LayoutTests/fast/dom/beforeload/remove-bad-object-in-beforeload-listener.html [new file with mode: 0644]
LayoutTests/fast/dom/beforeload/resources/print.js [new file with mode: 0644]
WebCore/ChangeLog
WebCore/html/HTMLObjectElement.cpp
WebCore/rendering/RenderEmbeddedObject.cpp