Potential use after free in ApplyStyleCommand::splitAncestorsWithUnicodeBidi
authorrniwa@webkit.org <rniwa@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 16 Apr 2013 07:36:29 +0000 (07:36 +0000)
committerrniwa@webkit.org <rniwa@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 16 Apr 2013 07:36:29 +0000 (07:36 +0000)
https://bugs.webkit.org/show_bug.cgi?id=114664

Reviewed by Oliver Hunt.

Use RefPtr as needed.

No new tests since this bug was discovered by code inspection.

* editing/ApplyStyleCommand.cpp:
(WebCore::ApplyStyleCommand::splitAncestorsWithUnicodeBidi):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@148497 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/WebCore/ChangeLog
Source/WebCore/editing/ApplyStyleCommand.cpp

index a2f0a8a5eed57e9f982d1abaca2a0cafbc31a7b1..85cb4423a2c120ead22da1965f4748d788973768 100644 (file)
@@ -1,3 +1,17 @@
+2013-04-15  Ryosuke Niwa  <rniwa@webkit.org>
+
+        Potential use after free in ApplyStyleCommand::splitAncestorsWithUnicodeBidi
+        https://bugs.webkit.org/show_bug.cgi?id=114664
+
+        Reviewed by Oliver Hunt.
+
+        Use RefPtr as needed.
+
+        No new tests since this bug was discovered by code inspection.
+
+        * editing/ApplyStyleCommand.cpp:
+        (WebCore::ApplyStyleCommand::splitAncestorsWithUnicodeBidi):
+
 2013-04-15  Timothy Hatcher  <timothy@apple.com>
 
         Web Inspector: Make var and function declarations work again in the Console.
index 80f3fe3bdcbb2031ed7e5cba31d5b5d8fa9dc6e5..733e14d1e2352dda44857a117fe31d6f67445c64 100644 (file)
@@ -483,14 +483,14 @@ HTMLElement* ApplyStyleCommand::splitAncestorsWithUnicodeBidi(Node* node, bool b
     }
 
     // Split every ancestor through highest ancestor with embedding.
-    Node* n = node;
-    while (true) {
-        Element* parent = toElement(n->parentNode());
-        if (before ? n->previousSibling() : n->nextSibling())
-            splitElement(parent, before ? n : n->nextSibling());
+    RefPtr<Node> currentNode = node;
+    while (currentNode) {
+        RefPtr<Element> parent = toElement(currentNode->parentNode());
+        if (before ? currentNode->previousSibling() : currentNode->nextSibling())
+            splitElement(parent, before ? currentNode : currentNode->nextSibling());
         if (parent == highestAncestorWithUnicodeBidi)
             break;
-        n = n->parentNode();
+        currentNode = parent;
     }
     return unsplitAncestor;
 }