[SCM] WebKit Debian packaging branch, webkit-1.1, updated. upstream/1.1.15.1-1414-gc69ee75

eric at webkit.org eric at webkit.org
Thu Oct 29 20:47:46 UTC 2009 

The following commit has been merged in the webkit-1.1 branch:
commit 33f0def6eac2d8d271fc624dcaea2cd28a20ba0d
Author: eric at webkit.org <eric at webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date:   Mon Oct 19 16:18:19 2009 +0000

    2009-10-19  Dimitri Glazkov  <dglazkov at chromium.org>
    
            Reviewed by Darin Adler.
    
            Fix hard-to-reproduce crash in HTMLTokenizer by avoiding a rare
            fastRealloc edge case.
            https://bugs.webkit.org/show_bug.cgi?id=29313
    
            No test, the crash shows up occasionally in crash dumps, we weren't able
            to reproduce it locally.
    
            * html/HTMLTokenizer.cpp:
            (WebCore::HTMLTokenizer::enlargeScriptBuffer): Added an early exit to
                avoid calling fastRealloc with the size of 0.
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@49788 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index 30c84a2..a965776 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,18 @@
+2009-10-19  Dimitri Glazkov  <dglazkov at chromium.org>
+
+        Reviewed by Darin Adler.
+
+        Fix hard-to-reproduce crash in HTMLTokenizer by avoiding a rare
+        fastRealloc edge case.
+        https://bugs.webkit.org/show_bug.cgi?id=29313
+
+        No test, the crash shows up occasionally in crash dumps, we weren't able
+        to reproduce it locally.
+
+        * html/HTMLTokenizer.cpp:
+        (WebCore::HTMLTokenizer::enlargeScriptBuffer): Added an early exit to
+            avoid calling fastRealloc with the size of 0.
+
 2009-10-19  Andrew Scherkus  <scherkus at chromium.org>
 
         Reviewed by Eric Seidel.
diff --git a/WebCore/html/HTMLTokenizer.cpp b/WebCore/html/HTMLTokenizer.cpp
index c03a3fc..33af997 100644
--- a/WebCore/html/HTMLTokenizer.cpp
+++ b/WebCore/html/HTMLTokenizer.cpp
@@ -1986,6 +1986,14 @@ void HTMLTokenizer::enlargeScriptBuffer(int len)
         CRASH();
 
     int newSize = m_scriptCodeCapacity + delta;
+    // If we allow fastRealloc(ptr, 0), it will call CRASH(). We run into this
+    // case if the HTML being parsed begins with "<!--" and there's more data
+    // coming.
+    if (!newSize) {
+        ASSERT(!m_scriptCode);
+        return;
+    }
+
     m_scriptCode = static_cast<UChar*>(fastRealloc(m_scriptCode, newSize * sizeof(UChar)));
     m_scriptCodeCapacity = newSize;
 }

-- 
WebKit Debian packaging

More information about the Pkg-webkit-commits mailing list