blob: f9ce04119680b1d25b83918505f0ca4eab930a86 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
|
diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLFormElement.cpp.cve-2010-0054-image-element-pointer-name-getter qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLFormElement.cpp
--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLFormElement.cpp.cve-2010-0054-image-element-pointer-name-getter 2010-02-11 16:55:17.000000000 +0100
+++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLFormElement.cpp 2010-02-25 15:50:05.987741463 +0100
@@ -515,11 +515,13 @@ bool HTMLFormElement::isURLAttribute(Att
void HTMLFormElement::registerImgElement(HTMLImageElement* e)
{
+ ASSERT(imgElements.find(e) == notFound);
imgElements.append(e);
}
void HTMLFormElement::removeImgElement(HTMLImageElement* e)
{
+ ASSERT(imgElements.find(e) == notFound);
removeFromVector(imgElements, e);
}
diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLImageElement.cpp.cve-2010-0054-image-element-pointer-name-getter qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLImageElement.cpp
--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLImageElement.cpp.cve-2010-0054-image-element-pointer-name-getter 2010-02-11 16:55:17.000000000 +0100
+++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLImageElement.cpp 2010-02-25 15:43:45.016742027 +0100
@@ -209,6 +209,40 @@ void HTMLImageElement::removedFromDocume
HTMLElement::removedFromDocument();
}
+void HTMLImageElement::insertedIntoTree(bool deep)
+{
+ if (m_form) {
+ // m_form was set by constructor. In debug builds, check that it's an ancestor indeed.
+#ifndef NDEBUG
+ for (Node* ancestor = parentNode(); /* no end condition - there must be a form ancestor */; ancestor = ancestor->parentNode()) {
+ ASSERT(ancestor);
+ if (ancestor->hasTagName(formTag)) {
+ ASSERT(m_form == static_cast<HTMLFormElement*>(ancestor));
+ break;
+ }
+ }
+#endif
+ } else {
+ for (Node* ancestor = parentNode(); ancestor; ancestor = ancestor->parentNode()) {
+ if (ancestor->hasTagName(formTag)) {
+ m_form = static_cast<HTMLFormElement*>(ancestor);
+ m_form->registerImgElement(this);
+ break;
+ }
+ }
+ }
+
+ HTMLElement::insertedIntoTree(deep);
+}
+
+void HTMLImageElement::removedFromTree(bool deep)
+{
+ if (m_form)
+ m_form->removeImgElement(this);
+ m_form = 0;
+ HTMLElement::removedFromTree(deep);
+}
+
int HTMLImageElement::width(bool ignorePendingStylesheets) const
{
if (!renderer()) {
diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLImageElement.h.cve-2010-0054-image-element-pointer-name-getter qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLImageElement.h
--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLImageElement.h.cve-2010-0054-image-element-pointer-name-getter 2010-02-11 16:55:17.000000000 +0100
+++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLImageElement.h 2010-02-25 15:41:18.340929598 +0100
@@ -45,8 +45,6 @@ public:
virtual void attach();
virtual RenderObject* createRenderer(RenderArena*, RenderStyle*);
- virtual void insertedIntoDocument();
- virtual void removedFromDocument();
virtual bool canStartSelection() const { return false; }
@@ -105,6 +103,11 @@ public:
virtual void addSubresourceAttributeURLs(ListHashSet<KURL>&) const;
private:
+ virtual void insertedIntoDocument();
+ virtual void removedFromDocument();
+ virtual void insertedIntoTree(bool deep);
+ virtual void removedFromTree(bool deep);
+
HTMLImageLoader m_imageLoader;
String usemap;
bool ismap;
|