Reviewed by Darin.
authorap <ap@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 18 Apr 2006 04:54:12 +0000 (04:54 +0000)
committerap <ap@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 18 Apr 2006 04:54:12 +0000 (04:54 +0000)
        - fix http://bugzilla.opendarwin.org/show_bug.cgi?id=8440
        iExploder(#3327): Crash in StringImpl::initWithQChar()

        Test: fast/parser/number-sign-in-map-name.html

        * html/html_imageimpl.cpp:
        (WebCore::HTMLMapElement::parseMappedAttribute): Fixed handling of names starting with a '#'.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@13949 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/fast/parser/number-sign-in-map-name-expected.txt [new file with mode: 0644]
LayoutTests/fast/parser/number-sign-in-map-name.html [new file with mode: 0644]
WebCore/ChangeLog
WebCore/html/html_imageimpl.cpp

index accfb9a7aaadce5f3676d8215dd418d82c20fc57..7c83b7b33853bb271f98dd74cb86123d25ff4b57 100644 (file)
@@ -1,3 +1,13 @@
+2006-04-17  Alexey Proskuryakov  <ap@nypop.com>
+
+        Reviewed by Darin.
+
+        - test for http://bugzilla.opendarwin.org/show_bug.cgi?id=8440
+        iExploder(#3327): Crash in StringImpl::initWithQChar()
+
+        * fast/parser/number-sign-in-map-name-expected.txt: Added.
+        * fast/parser/number-sign-in-map-name.html: Added.
+
 2006-04-17  Adele Peterson  <adele@apple.com>
 
         Test and updated results for: http://bugzilla.opendarwin.org/show_bug.cgi?id=8269
 2006-04-17  Adele Peterson  <adele@apple.com>
 
         Test and updated results for: http://bugzilla.opendarwin.org/show_bug.cgi?id=8269
diff --git a/LayoutTests/fast/parser/number-sign-in-map-name-expected.txt b/LayoutTests/fast/parser/number-sign-in-map-name-expected.txt
new file mode 100644 (file)
index 0000000..d1c8cc4
--- /dev/null
@@ -0,0 +1,4 @@
+Bug 8440: iExploder(#3327): Crash in StringImpl::initWithQChar().
+Shouldn't crash
+
+
diff --git a/LayoutTests/fast/parser/number-sign-in-map-name.html b/LayoutTests/fast/parser/number-sign-in-map-name.html
new file mode 100644 (file)
index 0000000..58b38ed
--- /dev/null
@@ -0,0 +1,19 @@
+<map abbr="#647015" name="#17731"></map>
+<map abbr="#647015" name="#17731"></map>
+<map abbr="#647015" name="#17731"></map>
+<map abbr="#647015" name="#17731"></map>
+<map abbr="#647015" name="#17731"></map>
+<map abbr="#647015" name="#17731"></map>
+<map abbr="#647015" name="#17731"></map>
+<map abbr="#647015" name="#17731"></map>
+<map abbr="#647015" name="#17731"></map>
+<map abbr="#647015" name="#17731"></map>
+<map abbr="#647015" name="#17731"></map>
+<map abbr="#647015" name="#17731"></map>
+<script>
+if (window.layoutTestController)
+    layoutTestController.dumpAsText();
+</script>
+<a href="http://bugzilla.opendarwin.org/show_bug.cgi?id=8440">Bug 8440</a>:
+iExploder(#3327): Crash in StringImpl::initWithQChar().
+<p>Shouldn't crash</p>
index 29b5913d7bc049bce1ba5cd7f59e86a99e3f9afd..405f19aff5c21665fd92acdcaaae01b639d005b1 100644 (file)
@@ -1,3 +1,15 @@
+2006-04-17  Alexey Proskuryakov  <ap@nypop.com>
+
+        Reviewed by Darin.
+
+        - fix http://bugzilla.opendarwin.org/show_bug.cgi?id=8440
+        iExploder(#3327): Crash in StringImpl::initWithQChar()
+
+        Test: fast/parser/number-sign-in-map-name.html
+
+        * html/html_imageimpl.cpp:
+        (WebCore::HTMLMapElement::parseMappedAttribute): Fixed handling of names starting with a '#'.
+
 2006-04-17  Adele Peterson  <adele@apple.com>
 
         Reviewed by Darin.
 2006-04-17  Adele Peterson  <adele@apple.com>
 
         Reviewed by Darin.
index 71bdf3888aecff3158512e5c9212f516049ed8ab..7598b407d7600f4db4991a9bd3ef379e80c5c2bd 100644 (file)
@@ -488,9 +488,9 @@ void HTMLMapElement::parseMappedAttribute(MappedAttribute *attr)
         doc->removeImageMap(this);
         m_name = attr->value();
         if (m_name[0] == '#') {
         doc->removeImageMap(this);
         m_name = attr->value();
         if (m_name[0] == '#') {
-            String mapName = mapName.copy();
+            String mapName(m_name.domString().copy());
             mapName.remove(0, 1);
             mapName.remove(0, 1);
-            m_name = mapName.impl();
+            m_name = mapName;
         }
         doc->addImageMap(this);
     } else
         }
         doc->addImageMap(this);
     } else