WebCore:
authormitz@apple.com <mitz@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 3 Dec 2007 18:09:34 +0000 (18:09 +0000)
committermitz@apple.com <mitz@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 3 Dec 2007 18:09:34 +0000 (18:09 +0000)
        Reviewed by Adam Roben.

        - fix <rdar://problem/5538651> REGRESSSION: domfuzz: null deref in WebCore::Document::canReplaceChild

        Test: fast/dom/Document/replaceChild-null-oldChild.html

        * dom/Document.cpp:
        (WebCore::Document::canReplaceChild):

LayoutTests:

        Reviewed by Adam Roben.

        - test for <rdar://problem/5538651> REGRESSSION: domfuzz: null deref in WebCore::Document::canReplaceChild

        * fast/dom/Document/replaceChild-null-oldChild-expected.txt: Added.
        * fast/dom/Document/replaceChild-null-oldChild.html: Added.
        * fast/dom/Document/resources/replaceChild-null-oldChild.js: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@28354 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/fast/dom/Document/replaceChild-null-oldChild-expected.txt [new file with mode: 0644]
LayoutTests/fast/dom/Document/replaceChild-null-oldChild.html [new file with mode: 0644]
LayoutTests/fast/dom/Document/resources/replaceChild-null-oldChild.js [new file with mode: 0644]
WebCore/ChangeLog
WebCore/dom/Document.cpp

index 8a31051782d097d8cb19edf9696a1c546c831583..e43df3ac0d8f334de9907cf6bd5e8b5d1226963a 100644 (file)
@@ -1,3 +1,13 @@
+2007-12-03  Dan Bernstein  <mitz@apple.com>
+
+        Reviewed by Adam Roben.
+
+        - test for <rdar://problem/5538651> REGRESSSION: domfuzz: null deref in WebCore::Document::canReplaceChild
+
+        * fast/dom/Document/replaceChild-null-oldChild-expected.txt: Added.
+        * fast/dom/Document/replaceChild-null-oldChild.html: Added.
+        * fast/dom/Document/resources/replaceChild-null-oldChild.js: Added.
+
 2007-12-02  Darin Adler  <darin@apple.com>
 
         Reviewed by Mitz.
diff --git a/LayoutTests/fast/dom/Document/replaceChild-null-oldChild-expected.txt b/LayoutTests/fast/dom/Document/replaceChild-null-oldChild-expected.txt
new file mode 100644 (file)
index 0000000..4f1b20a
--- /dev/null
@@ -0,0 +1,10 @@
+Test behavior of Document.replaceChild() when oldChild is null.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS document.replaceChild(document.firstChild, null) threw exception Error: NOT_FOUND_ERR: DOM Exception 8.
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
diff --git a/LayoutTests/fast/dom/Document/replaceChild-null-oldChild.html b/LayoutTests/fast/dom/Document/replaceChild-null-oldChild.html
new file mode 100644 (file)
index 0000000..5d1c9d4
--- /dev/null
@@ -0,0 +1,13 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<link rel="stylesheet" href="../../js/resources/js-test-style.css">
+<script src="../../js/resources/js-test-pre.js"></script>
+</head>
+<body>
+<p id="description"></p>
+<div id="console"></div>
+<script src="resources/replaceChild-null-oldChild.js"></script>
+<script src="../../js/resources/js-test-post.js"></script>
+</body>
+</html>
diff --git a/LayoutTests/fast/dom/Document/resources/replaceChild-null-oldChild.js b/LayoutTests/fast/dom/Document/resources/replaceChild-null-oldChild.js
new file mode 100644 (file)
index 0000000..c04c0a9
--- /dev/null
@@ -0,0 +1,5 @@
+description('Test behavior of Document.replaceChild() when oldChild is null.');
+
+shouldThrow('document.replaceChild(document.firstChild, null)', '"Error: NOT_FOUND_ERR: DOM Exception 8"');
+
+var successfullyParsed = true;
index dfebd917e87a322225b5056b6af85f55f1b197e5..b0f1252fb6886ff030c98cf177dea5de91fd1a0d 100644 (file)
@@ -1,3 +1,14 @@
+2007-12-03  Dan Bernstein  <mitz@apple.com>
+
+        Reviewed by Adam Roben.
+
+        - fix <rdar://problem/5538651> REGRESSSION: domfuzz: null deref in WebCore::Document::canReplaceChild
+
+        Test: fast/dom/Document/replaceChild-null-oldChild.html
+
+        * dom/Document.cpp:
+        (WebCore::Document::canReplaceChild):
+
 2007-12-03  Holger Hans Peter Freyther  <holger.freyther@trolltech.com>
 
         Reviewed by Simon.
index 8deee67a2d39359026a8c75f4db95ba117caf455..4f666723b4bf4a0156a32e0ffbcce94a0dc47647 100644 (file)
@@ -1886,6 +1886,10 @@ bool Document::childTypeAllowed(NodeType type)
 
 bool Document::canReplaceChild(Node* newChild, Node* oldChild)
 {
+    if (!oldChild)
+        // ContainerNode::replaceChild will raise a NOT_FOUND_ERR.
+        return true;
+
     if (oldChild->nodeType() == newChild->nodeType())
         return true;