The for loop to iterate over the children vector in -[WebHistoryItem dictionaryRepresentation] starts out with i = children.size(), so if we ever hit that loop we're going to attempt an access past the end of the children vector. It should be i = children.size()-1.
Created attachment 24979 [details] This patch prevents the bad access.
Created attachment 24980 [details] Same patch as before, but with a bit more whitespace and a ChangeLog...
Comment on attachment 24980 [details] Same patch as before, but with a bit more whitespace and a ChangeLog... This change is clearly correct, but we normally require regression tests for bug fixes. Were you able to reproduce a problem? I'd love to see a test and not just the fix. r=me
Created attachment 25025 [details] New patch It turns out that -[WebHistoryItem initWithDictionaryRepresentation] has the same problem as -[WebHistoryItem dictionaryRepresentation] so fixing that as well and updating the ChangeLog.
Comment on attachment 24980 [details] Same patch as before, but with a bit more whitespace and a ChangeLog... Clearing review flag on unlanded patch.
(In reply to comment #3) > (From update of attachment 24980 [details] [review]) > This change is clearly correct, but we normally require regression tests for > bug fixes. Were you able to reproduce a problem? I'd love to see a test and not > just the fix. > > r=me > I think that the affected API is not currently used in the Safari browser, so I will not be able to provide a layout test. In theory I could write a new application designed to demonstrate the problem, but in this case I doubt that it's necessary.
Comment on attachment 25025 [details] New patch r=me
$ git svn dcommit Committing to http://svn.webkit.org/repository/webkit/trunk ... M WebKit/mac/ChangeLog M WebKit/mac/History/WebHistoryItem.mm Committed r38315