[SCM] WebKit Debian packaging branch, webkit-1.1, updated. upstream/1.1.15.1-1414-gc69ee75
eric at webkit.org
eric at webkit.org
Thu Oct 29 20:47:46 UTC 2009
The following commit has been merged in the webkit-1.1 branch:
commit 33f0def6eac2d8d271fc624dcaea2cd28a20ba0d
Author: eric at webkit.org <eric at webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Mon Oct 19 16:18:19 2009 +0000
2009-10-19 Dimitri Glazkov <dglazkov at chromium.org>
Reviewed by Darin Adler.
Fix hard-to-reproduce crash in HTMLTokenizer by avoiding a rare
fastRealloc edge case.
https://bugs.webkit.org/show_bug.cgi?id=29313
No test, the crash shows up occasionally in crash dumps, we weren't able
to reproduce it locally.
* html/HTMLTokenizer.cpp:
(WebCore::HTMLTokenizer::enlargeScriptBuffer): Added an early exit to
avoid calling fastRealloc with the size of 0.
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@49788 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index 30c84a2..a965776 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,18 @@
+2009-10-19 Dimitri Glazkov <dglazkov at chromium.org>
+
+ Reviewed by Darin Adler.
+
+ Fix hard-to-reproduce crash in HTMLTokenizer by avoiding a rare
+ fastRealloc edge case.
+ https://bugs.webkit.org/show_bug.cgi?id=29313
+
+ No test, the crash shows up occasionally in crash dumps, we weren't able
+ to reproduce it locally.
+
+ * html/HTMLTokenizer.cpp:
+ (WebCore::HTMLTokenizer::enlargeScriptBuffer): Added an early exit to
+ avoid calling fastRealloc with the size of 0.
+
2009-10-19 Andrew Scherkus <scherkus at chromium.org>
Reviewed by Eric Seidel.
diff --git a/WebCore/html/HTMLTokenizer.cpp b/WebCore/html/HTMLTokenizer.cpp
index c03a3fc..33af997 100644
--- a/WebCore/html/HTMLTokenizer.cpp
+++ b/WebCore/html/HTMLTokenizer.cpp
@@ -1986,6 +1986,14 @@ void HTMLTokenizer::enlargeScriptBuffer(int len)
CRASH();
int newSize = m_scriptCodeCapacity + delta;
+ // If we allow fastRealloc(ptr, 0), it will call CRASH(). We run into this
+ // case if the HTML being parsed begins with "<!--" and there's more data
+ // coming.
+ if (!newSize) {
+ ASSERT(!m_scriptCode);
+ return;
+ }
+
m_scriptCode = static_cast<UChar*>(fastRealloc(m_scriptCode, newSize * sizeof(UChar)));
m_scriptCodeCapacity = newSize;
}
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list