Bug 48389

Summary:

REGRESSION(r67170): crash in removeImplicitlyStyledElement

Product:

WebKit

Reporter:

Ryosuke Niwa <rniwa>

Component:

HTML Editing

Assignee:

Ryosuke Niwa <rniwa>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

enrica, eric, ojan, tony

Priority:

Keywords:

HasReduction

Version:

528+ (Nightly build)

Hardware:

All

OS:

All

Attachments:

Description	Flags
demo	none
fixes the crash	tkent: review+

Description Ryosuke Niwa 2010-10-26 17:09:09 PDT

The crash occurs in the following lines of removeImplicitlyStyledElement when mapValue is null and extractedStyle is not null:
        if (extractedStyle)
            extractedStyle->setProperty(equivalent.propertyID, mapValue->cssText());

Comment 1 Ryosuke Niwa 2010-10-26 17:09:33 PDT

Created attachment 71967 [details]
demo

Comment 2 Ryosuke Niwa 2010-10-26 17:19:07 PDT

http://crbug.com/59992

Comment 3 Ryosuke Niwa 2010-10-26 17:20:46 PDT

Created attachment 71969 [details]
fixes the crash

Comment 4 Kent Tamura 2010-10-26 17:21:42 PDT

Comment on attachment 71969 [details]
fixes the crash

ok

Comment 5 Ryosuke Niwa 2010-10-26 17:23:26 PDT

(In reply to comment #4)
> (From update of attachment 71969 [details])
> ok

wow, that was really quick!  I'll appreciate if you can take a look at https://bugs.webkit.org/show_bug.cgi?id=48349 since it's a security bug.  I just cc-ed you on the bug.

Comment 6 Ryosuke Niwa 2010-10-26 17:44:07 PDT

Thanks for the review, Kent.

Landed as http://trac.webkit.org/changeset/70593.