[Webkit-unassigned] [Bug 13336] REGRESSION: editing/execCommand/hilitecolor.html crashes under guardMalloc
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Sun Apr 15 04:08:53 PDT 2007
http://bugs.webkit.org/show_bug.cgi?id=13336
proton at wiretapped.net changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |proton at wiretapped.net
------- Comment #1 from proton at wiretapped.net 2007-04-15 04:08 PDT -------
This happens because WebCore::InlineTextBox assumes that its textObject() will
not change the length of its text.
SplitTextNodeContainingElementCommand violates this by calling splitTextNode()
which eventually will hit CharacterData::deleteData, chopping some data off the
textObject()'s text as it does the split.
We need to watch for this change and update the m_len value as appropriate.
--
Configure bugmail: http://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the webkit-unassigned
mailing list