[Webkit-unassigned] [Bug 11221] REGRESSION: iExploder crash due to style="cursor: url()"

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Oct 11 10:30:53 PDT 2006


http://bugs.webkit.org/show_bug.cgi?id=11221





------- Comment #7 from rwlbuis at gmail.com  2006-10-11 10:30 PDT -------
Hi Mitz,

(In reply to comment #6)
> (From update of attachment 11031 [edit])
> +            list = new CSSValueList; 

I clearly wasnt thinking :}

> This will allocate a new CSSValueList on every iteration through the loop,
> throwing away the previously allocated one.

See above :}

> I noticed that the current code leaks a CSSValueList in a couple of places. One
> of them this patch fixes, another one is here:
> 
>             if ((strict && !value) || (value && !(value->unit ==
> Value::Operator && value->iValue == ',')))
>                 return false;

Yep, the state after bug 6002 shows that there were some issues left in the
code. I guess the review should have been better, and I should have also
studied this (tricky) code better.

> (So for example, "cursor: url(cursor.png) ex" will leak a CSSValueList).
> 
>              if (strict || coords.size() == 0) {
> 
> This code after this 'if' is insufficiently indented, please clean it up.

Ok.

> In WebCore/ChangeLog, please add a line noting the test that goes with your
> patch. The usual format is "Test: fast/css/invalid-cursor-property-crash.html",
> right after the bug summary.

Ok. Will try to make a new patch asap.
Cheers,

Rob.


-- 
Configure bugmail: http://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.



More information about the webkit-unassigned mailing list