[SCM] WebKit Debian packaging branch, debian/experimental, updated. upstream/1.3.3-9427-gc2be6fc
jamesr at google.com
jamesr at google.com
Wed Dec 22 14:53:14 UTC 2010
The following commit has been merged in the debian/experimental branch:
commit 922af518171a05bda1dec759cab0d6d1b2291cfa
Author: jamesr at google.com <jamesr at google.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Fri Oct 22 23:39:13 2010 +0000
2010-10-22 James Robinson <jamesr at chromium.org>
Reviewed by Dimitri Glazkov.
REGRESSION(66391): http://ligth-arts.all-up.com/ crashes in EventHandler::selectCursor
https://bugs.webkit.org/show_bug.cgi?id=47942
Add checks for a NULL StyleImage in a CursorList.
* css/CSSComputedStyleDeclaration.cpp:
(WebCore::CSSComputedStyleDeclaration::getPropertyCSSValue):
* css/CSSStyleSelector.cpp:
(WebCore::CSSStyleSelector::loadPendingImages):
* page/EventHandler.cpp:
(WebCore::EventHandler::selectCursor):
* rendering/style/CursorList.h:
(WebCore::CursorList::at):
* manual-tests/cursor-empty-url.html: Added.
* manual-tests/resources/cursor-empty-url.css: Added.
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@70365 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index e9258e5..75ebd7b 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,23 @@
+2010-10-22 James Robinson <jamesr at chromium.org>
+
+ Reviewed by Dimitri Glazkov.
+
+ REGRESSION(66391): http://ligth-arts.all-up.com/ crashes in EventHandler::selectCursor
+ https://bugs.webkit.org/show_bug.cgi?id=47942
+
+ Add checks for a NULL StyleImage in a CursorList.
+
+ * css/CSSComputedStyleDeclaration.cpp:
+ (WebCore::CSSComputedStyleDeclaration::getPropertyCSSValue):
+ * css/CSSStyleSelector.cpp:
+ (WebCore::CSSStyleSelector::loadPendingImages):
+ * page/EventHandler.cpp:
+ (WebCore::EventHandler::selectCursor):
+ * rendering/style/CursorList.h:
+ (WebCore::CursorList::at):
+ * manual-tests/cursor-empty-url.html: Added.
+ * manual-tests/resources/cursor-empty-url.css: Added.
+
2010-10-22 David Hyatt <hyatt at apple.com>
Reviewed by Adele Peterson.
diff --git a/WebCore/css/CSSComputedStyleDeclaration.cpp b/WebCore/css/CSSComputedStyleDeclaration.cpp
index 14c3bb3..fdcab28 100644
--- a/WebCore/css/CSSComputedStyleDeclaration.cpp
+++ b/WebCore/css/CSSComputedStyleDeclaration.cpp
@@ -890,7 +890,8 @@ PassRefPtr<CSSValue> CSSComputedStyleDeclaration::getPropertyCSSValue(int proper
if (cursors && cursors->size() > 0) {
list = CSSValueList::createCommaSeparated();
for (unsigned i = 0; i < cursors->size(); ++i)
- list->append((*cursors)[i].image()->cssValue());
+ if (StyleImage* image = cursors->at(i).image())
+ list->append(image->cssValue());
}
RefPtr<CSSValue> value = CSSPrimitiveValue::create(style->cursor());
if (list) {
diff --git a/WebCore/css/CSSStyleSelector.cpp b/WebCore/css/CSSStyleSelector.cpp
index f5a6d03..3d69e87 100644
--- a/WebCore/css/CSSStyleSelector.cpp
+++ b/WebCore/css/CSSStyleSelector.cpp
@@ -6839,10 +6839,12 @@ void CSSStyleSelector::loadPendingImages()
case CSSPropertyCursor: {
if (CursorList* cursorList = m_style->cursors()) {
for (size_t i = 0; i < cursorList->size(); ++i) {
- CursorData& currentCursor = (*cursorList)[i];
- if (currentCursor.image()->isPendingImage()) {
- CSSImageValue* imageValue = static_cast<StylePendingImage*>(currentCursor.image())->cssImageValue();
- currentCursor.setImage(imageValue->cachedImage(cachedResourceLoader));
+ CursorData& currentCursor = cursorList->at(i);
+ if (StyleImage* image = currentCursor.image()) {
+ if (image->isPendingImage()) {
+ CSSImageValue* imageValue = static_cast<StylePendingImage*>(image)->cssImageValue();
+ currentCursor.setImage(imageValue->cachedImage(cachedResourceLoader));
+ }
}
}
}
diff --git a/WebCore/manual-tests/cursor-empty-url.html b/WebCore/manual-tests/cursor-empty-url.html
new file mode 100644
index 0000000..a336100
--- /dev/null
+++ b/WebCore/manual-tests/cursor-empty-url.html
@@ -0,0 +1,3 @@
+<div>Mousing over the grey block should not cause a crash.</div>
+<link rel="stylesheet" href="resources/cursor-empty-url.css"></link>
+<div id="target" style="width: 50px; height: 50px; margin: 10px; background: #ddd"></div>
diff --git a/WebCore/manual-tests/resources/cursor-empty-url.css b/WebCore/manual-tests/resources/cursor-empty-url.css
new file mode 100644
index 0000000..0479af1
--- /dev/null
+++ b/WebCore/manual-tests/resources/cursor-empty-url.css
@@ -0,0 +1 @@
+#target { cursor: url(''), auto; }
diff --git a/WebCore/page/EventHandler.cpp b/WebCore/page/EventHandler.cpp
index 92504d3..2970259 100644
--- a/WebCore/page/EventHandler.cpp
+++ b/WebCore/page/EventHandler.cpp
@@ -1081,7 +1081,7 @@ Cursor EventHandler::selectCursor(const MouseEventWithHitTestResults& event, Scr
for (unsigned i = 0; i < cursors->size(); ++i) {
const CachedImage* cimage = 0;
StyleImage* image = (*cursors)[i].image();
- if (image->isCachedImage())
+ if (image && image->isCachedImage())
cimage = static_cast<StyleCachedImage*>(image)->cachedImage();
if (!cimage)
continue;
diff --git a/WebCore/rendering/style/CursorList.h b/WebCore/rendering/style/CursorList.h
index 1b82684..a1d1fe7 100644
--- a/WebCore/rendering/style/CursorList.h
+++ b/WebCore/rendering/style/CursorList.h
@@ -40,6 +40,8 @@ public:
const CursorData& operator[](int i) const { return m_vector[i]; }
CursorData& operator[](int i) { return m_vector[i]; }
+ const CursorData& at(size_t i) const { return m_vector.at(i); }
+ CursorData& at(size_t i) { return m_vector.at(i); }
bool operator==(const CursorList& o) const { return m_vector == o.m_vector; }
bool operator!=(const CursorList& o) const { return m_vector != o.m_vector; }
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list