[SCM] WebKit Debian packaging branch, debian/experimental, updated. upstream/1.3.3-9427-gc2be6fc
simon.fraser at apple.com
simon.fraser at apple.com
Wed Dec 22 13:35:22 UTC 2010
The following commit has been merged in the debian/experimental branch:
commit f5ce64706cf4b682f522b5aa1d8e737e5b5d4a26
Author: simon.fraser at apple.com <simon.fraser at apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Tue Sep 21 00:42:42 2010 +0000
2010-09-20 Simon Fraser <simon.fraser at apple.com>
Reviewed by Darin Adler.
Crash when div with content set to image gets composited (Vimeo).
https://bugs.webkit.org/show_bug.cgi?id=46140
When CSS specifies that the content of an element is an image, we make
a RenderImage, and setStyle() before setting the image resource. In this
case the compositing code can attempt to access the cached image, which
would crash with a null deref.
Fix by null-checking m_imageResource.
Test: compositing/images/content-image.html
* rendering/RenderImage.h:
(WebCore::RenderImage::cachedImage):
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@67899 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index 7dc396d..9d4841c 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,15 @@
+2010-09-20 Simon Fraser <simon.fraser at apple.com>
+
+ Reviewed by Darin Adler.
+
+ Crash when div with content set to image gets composited (Vimeo).
+ https://bugs.webkit.org/show_bug.cgi?id=46140
+
+ Test with a compositing div with content set to an image.
+
+ * compositing/images/content-image-expected.txt: Copied from LayoutTests/fast/forms/select-change-popup-to-listbox-in-event-handler-expected.txt.
+ * compositing/images/content-image.html: Added.
+
2010-09-20 Mihai Parparita <mihaip at chromium.org>
Reviewed by Dimitri Glazkov.
diff --git a/LayoutTests/fast/forms/select-change-popup-to-listbox-in-event-handler-expected.txt b/LayoutTests/compositing/images/content-image-expected.txt
similarity index 100%
copy from LayoutTests/fast/forms/select-change-popup-to-listbox-in-event-handler-expected.txt
copy to LayoutTests/compositing/images/content-image-expected.txt
diff --git a/LayoutTests/compositing/images/content-image.html b/LayoutTests/compositing/images/content-image.html
new file mode 100644
index 0000000..20f6d98
--- /dev/null
+++ b/LayoutTests/compositing/images/content-image.html
@@ -0,0 +1,19 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <style type="text/css" media="screen">
+ .box {
+ content: url('../resources/alpha-gradient-small.png');
+ -webkit-transform: translateZ(0);
+ }
+ </style>
+ <script type="text/javascript" charset="utf-8">
+ if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+ </script>
+</head>
+<body>
+ <p>This test should not crash.</p>
+ <div class="box"></div>
+</body>
+</html>
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index 26c7ed0..9f141d2 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,22 @@
+2010-09-20 Simon Fraser <simon.fraser at apple.com>
+
+ Reviewed by Darin Adler.
+
+ Crash when div with content set to image gets composited (Vimeo).
+ https://bugs.webkit.org/show_bug.cgi?id=46140
+
+ When CSS specifies that the content of an element is an image, we make
+ a RenderImage, and setStyle() before setting the image resource. In this
+ case the compositing code can attempt to access the cached image, which
+ would crash with a null deref.
+
+ Fix by null-checking m_imageResource.
+
+ Test: compositing/images/content-image.html
+
+ * rendering/RenderImage.h:
+ (WebCore::RenderImage::cachedImage):
+
2010-09-20 Mihai Parparita <mihaip at chromium.org>
Reviewed by Dimitri Glazkov.
diff --git a/WebCore/rendering/RenderImage.h b/WebCore/rendering/RenderImage.h
index a8666ee..f9acba8 100644
--- a/WebCore/rendering/RenderImage.h
+++ b/WebCore/rendering/RenderImage.h
@@ -41,7 +41,7 @@ public:
RenderImageResource* imageResource() { return m_imageResource.get(); }
const RenderImageResource* imageResource() const { return m_imageResource.get(); }
- CachedImage* cachedImage() const { return m_imageResource->cachedImage(); }
+ CachedImage* cachedImage() const { return m_imageResource ? m_imageResource->cachedImage() : 0; }
bool setImageSizeForAltText(CachedImage* newImage = 0);
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list