[Webkit-unassigned] [Bug 11221] REGRESSION: iExploder crash due to style="cursor: url()"
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Oct 11 05:28:46 PDT 2006
http://bugs.webkit.org/show_bug.cgi?id=11221
mitz at webkit.org changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #11031|review? |review-
Flag| |
------- Comment #6 from mitz at webkit.org 2006-10-11 05:28 PDT -------
(From update of attachment 11031)
+ list = new CSSValueList;
This will allocate a new CSSValueList on every iteration through the loop,
throwing away the previously allocated one.
I noticed that the current code leaks a CSSValueList in a couple of places. One
of them this patch fixes, another one is here:
if ((strict && !value) || (value && !(value->unit ==
Value::Operator && value->iValue == ',')))
return false;
(So for example, "cursor: url(cursor.png) ex" will leak a CSSValueList).
if (strict || coords.size() == 0) {
This code after this 'if' is insufficiently indented, please clean it up.
In WebCore/ChangeLog, please add a line noting the test that goes with your
patch. The usual format is "Test: fast/css/invalid-cursor-property-crash.html",
right after the bug summary.
--
Configure bugmail: http://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the webkit-unassigned
mailing list