diff options
Diffstat (limited to 'src/3rdparty/webkit/WebCore')
6 files changed, 65 insertions, 20 deletions
diff --git a/src/3rdparty/webkit/WebCore/ChangeLog b/src/3rdparty/webkit/WebCore/ChangeLog index 5189eb5..5b78226 100644 --- a/src/3rdparty/webkit/WebCore/ChangeLog +++ b/src/3rdparty/webkit/WebCore/ChangeLog @@ -1,3 +1,40 @@ +2010-06-14 Andreas Kling <andreas.kling@nokia.com> + + Reviewed by Tor Arne Vestbø. + + [Qt] Stack overflow when converting navigator object to QVariant + https://bugs.webkit.org/show_bug.cgi?id=40572 + + Protect against infinite recursion in JSValue->QVariant conversion. + This fixes a crash when trying to convert MimeType objects (they + recurse infinitely and on-the-fly via the enabledPlugin property.) + + * bridge/qt/qt_runtime.cpp: + (JSC::Bindings::convertValueToQVariant): + +2010-03-30 Kent Tamura <tkent@chromium.org> + + Reviewed by Brady Eidson. + + REGRESSION (r56439) - Crash when a renderer for a file upload control + with a selected file is recreated + https://bugs.webkit.org/show_bug.cgi?id=36723 + + RenderFileUploadControl::chooseIconForFiles was called before + m_fileChooser was initialized. + + * platform/FileChooser.cpp: + (WebCore::FileChooser::FileChooser): Introduce m_isInitializing flag to + avoid FileChooserClient::repaint() call. + (WebCore::FileChooser::loadIcon): + (WebCore::FileChooser::iconLoaded): + * platform/FileChooser.h: Add a FielChooser parameter to + FileChooserClient::chooseIconForFiles(). + * rendering/RenderFileUploadControl.cpp: + (WebCore::RenderFileUploadControl::chooseIconForFiles): + (WebCore::RenderFileUploadControl::paintObject): Add an assertion. + * rendering/RenderFileUploadControl.h: + 2010-07-06 Nikolas Zimmermann <nzimmermann@rim.com> Reviewed by Dirk Schulze. diff --git a/src/3rdparty/webkit/WebCore/bridge/qt/qt_runtime.cpp b/src/3rdparty/webkit/WebCore/bridge/qt/qt_runtime.cpp index a39dc7a..2212f58 100644 --- a/src/3rdparty/webkit/WebCore/bridge/qt/qt_runtime.cpp +++ b/src/3rdparty/webkit/WebCore/bridge/qt/qt_runtime.cpp @@ -162,9 +162,11 @@ static JSRealType valueRealType(ExecState* exec, JSValue val) return String; // I don't know. } -QVariant convertValueToQVariant(ExecState* exec, JSValue value, QMetaType::Type hint, int *distance, HashSet<JSObject*>* visitedObjects) +QVariant convertValueToQVariant(ExecState* exec, JSValue value, QMetaType::Type hint, int *distance, HashSet<JSObject*>* visitedObjects, int recursionLimit) { - if (!value) + --recursionLimit; + + if (!value || !recursionLimit) return QVariant(); JSObject* object = 0; @@ -344,7 +346,7 @@ QVariant convertValueToQVariant(ExecState* exec, JSValue value, QMetaType::Type while(it != properties.end()) { if (object->propertyIsEnumerable(exec, *it)) { JSValue val = object->get(exec, *it); - QVariant v = convertValueToQVariant(exec, val, QMetaType::Void, &objdist, visitedObjects); + QVariant v = convertValueToQVariant(exec, val, QMetaType::Void, &objdist, visitedObjects, recursionLimit); if (objdist >= 0) { UString ustring = (*it).ustring(); QString id = QString((const QChar*)ustring.rep()->characters(), ustring.size()); @@ -368,7 +370,7 @@ QVariant convertValueToQVariant(ExecState* exec, JSValue value, QMetaType::Type qConvDebug() << "converting a " << len << " length Array"; for (int i = 0; i < len; ++i) { JSValue val = rtarray->getConcreteArray()->valueAt(exec, i); - result.append(convertValueToQVariant(exec, val, QMetaType::Void, &objdist, visitedObjects)); + result.append(convertValueToQVariant(exec, val, QMetaType::Void, &objdist, visitedObjects, recursionLimit)); if (objdist == -1) { qConvDebug() << "Failed converting element at index " << i; break; // Failed converting a list entry, so fail the array @@ -387,7 +389,7 @@ QVariant convertValueToQVariant(ExecState* exec, JSValue value, QMetaType::Type qConvDebug() << "converting a " << len << " length Array"; for (int i = 0; i < len; ++i) { JSValue val = array->get(exec, i); - result.append(convertValueToQVariant(exec, val, QMetaType::Void, &objdist, visitedObjects)); + result.append(convertValueToQVariant(exec, val, QMetaType::Void, &objdist, visitedObjects, recursionLimit)); if (objdist == -1) { qConvDebug() << "Failed converting element at index " << i; break; // Failed converting a list entry, so fail the array @@ -401,7 +403,7 @@ QVariant convertValueToQVariant(ExecState* exec, JSValue value, QMetaType::Type // Make a single length array int objdist; qConvDebug() << "making a single length variantlist"; - QVariant var = convertValueToQVariant(exec, value, QMetaType::Void, &objdist, visitedObjects); + QVariant var = convertValueToQVariant(exec, value, QMetaType::Void, &objdist, visitedObjects, recursionLimit); if (objdist != -1) { QVariantList result; result << var; @@ -645,7 +647,7 @@ QVariant convertValueToQVariant(ExecState* exec, JSValue value, QMetaType::Type for (int i = 0; i < len; ++i) { JSValue val = rtarray->getConcreteArray()->valueAt(exec, i); int itemdist = -1; - QVariant item = convertValueToQVariant(exec, val, QMetaType::QObjectStar, &itemdist, visitedObjects); + QVariant item = convertValueToQVariant(exec, val, QMetaType::QObjectStar, &itemdist, visitedObjects, recursionLimit); if (itemdist >= 0) result.append(item.value<QObject*>()); else @@ -664,7 +666,7 @@ QVariant convertValueToQVariant(ExecState* exec, JSValue value, QMetaType::Type for (int i = 0; i < len; ++i) { JSValue val = array->get(exec, i); int itemdist = -1; - QVariant item = convertValueToQVariant(exec, val, QMetaType::QObjectStar, &itemdist, visitedObjects); + QVariant item = convertValueToQVariant(exec, val, QMetaType::QObjectStar, &itemdist, visitedObjects, recursionLimit); if (itemdist >= 0) result.append(item.value<QObject*>()); else @@ -679,7 +681,7 @@ QVariant convertValueToQVariant(ExecState* exec, JSValue value, QMetaType::Type // Make a single length array QObjectList result; int itemdist = -1; - QVariant item = convertValueToQVariant(exec, value, QMetaType::QObjectStar, &itemdist, visitedObjects); + QVariant item = convertValueToQVariant(exec, value, QMetaType::QObjectStar, &itemdist, visitedObjects, recursionLimit); if (itemdist >= 0) { result.append(item.value<QObject*>()); dist = 10; @@ -696,7 +698,7 @@ QVariant convertValueToQVariant(ExecState* exec, JSValue value, QMetaType::Type for (int i = 0; i < len; ++i) { JSValue val = rtarray->getConcreteArray()->valueAt(exec, i); int itemdist = -1; - QVariant item = convertValueToQVariant(exec, val, QMetaType::Int, &itemdist, visitedObjects); + QVariant item = convertValueToQVariant(exec, val, QMetaType::Int, &itemdist, visitedObjects, recursionLimit); if (itemdist >= 0) result.append(item.value<int>()); else @@ -715,7 +717,7 @@ QVariant convertValueToQVariant(ExecState* exec, JSValue value, QMetaType::Type for (int i = 0; i < len; ++i) { JSValue val = array->get(exec, i); int itemdist = -1; - QVariant item = convertValueToQVariant(exec, val, QMetaType::Int, &itemdist, visitedObjects); + QVariant item = convertValueToQVariant(exec, val, QMetaType::Int, &itemdist, visitedObjects, recursionLimit); if (itemdist >= 0) result.append(item.value<int>()); else @@ -730,7 +732,7 @@ QVariant convertValueToQVariant(ExecState* exec, JSValue value, QMetaType::Type // Make a single length array QList<int> result; int itemdist = -1; - QVariant item = convertValueToQVariant(exec, value, QMetaType::Int, &itemdist, visitedObjects); + QVariant item = convertValueToQVariant(exec, value, QMetaType::Int, &itemdist, visitedObjects, recursionLimit); if (itemdist >= 0) { result.append(item.value<int>()); dist = 10; @@ -757,7 +759,7 @@ QVariant convertValueToQVariant(ExecState* exec, JSValue value, QMetaType::Type } // And then recurse with the autodetect flag - ret = convertValueToQVariant(exec, value, QMetaType::Void, distance, visitedObjects); + ret = convertValueToQVariant(exec, value, QMetaType::Void, distance, visitedObjects, recursionLimit); dist = 10; } break; @@ -777,8 +779,9 @@ QVariant convertValueToQVariant(ExecState* exec, JSValue value, QMetaType::Type QVariant convertValueToQVariant(ExecState* exec, JSValue value, QMetaType::Type hint, int *distance) { + const int recursionLimit = 200; HashSet<JSObject*> visitedObjects; - return convertValueToQVariant(exec, value, hint, distance, &visitedObjects); + return convertValueToQVariant(exec, value, hint, distance, &visitedObjects, recursionLimit); } JSValue convertQVariantToValue(ExecState* exec, PassRefPtr<RootObject> root, const QVariant& variant) diff --git a/src/3rdparty/webkit/WebCore/platform/FileChooser.cpp b/src/3rdparty/webkit/WebCore/platform/FileChooser.cpp index dd4fc0d..90dd567 100644 --- a/src/3rdparty/webkit/WebCore/platform/FileChooser.cpp +++ b/src/3rdparty/webkit/WebCore/platform/FileChooser.cpp @@ -39,9 +39,11 @@ FileChooserClient::~FileChooserClient() inline FileChooser::FileChooser(FileChooserClient* client, const Vector<String>& initialFilenames) : m_client(client) + , m_isInitializing(true) { m_filenames = initialFilenames; loadIcon(); + m_isInitializing = false; } PassRefPtr<FileChooser> FileChooser::create(FileChooserClient* client, const Vector<String>& initialFilenames) @@ -79,13 +81,13 @@ void FileChooser::chooseFiles(const Vector<String>& filenames) void FileChooser::loadIcon() { if (m_filenames.size() && m_client) - m_client->chooseIconForFiles(m_filenames); + m_client->chooseIconForFiles(this, m_filenames); } void FileChooser::iconLoaded(PassRefPtr<Icon> icon) { m_icon = icon; - if (m_icon && m_client) + if (!m_isInitializing && m_icon && m_client) m_client->repaint(); } diff --git a/src/3rdparty/webkit/WebCore/platform/FileChooser.h b/src/3rdparty/webkit/WebCore/platform/FileChooser.h index 4028d41..e93b9ac 100644 --- a/src/3rdparty/webkit/WebCore/platform/FileChooser.h +++ b/src/3rdparty/webkit/WebCore/platform/FileChooser.h @@ -35,6 +35,7 @@ namespace WebCore { +class FileChooser; class Font; class Icon; @@ -44,7 +45,7 @@ public: virtual void repaint() = 0; virtual bool allowsMultipleFiles() = 0; virtual String acceptTypes() = 0; - virtual void chooseIconForFiles(const Vector<String>&) = 0; + virtual void chooseIconForFiles(FileChooser*, const Vector<String>&) = 0; virtual ~FileChooserClient(); }; @@ -79,6 +80,7 @@ private: FileChooserClient* m_client; Vector<String> m_filenames; RefPtr<Icon> m_icon; + bool m_isInitializing; }; } // namespace WebCore diff --git a/src/3rdparty/webkit/WebCore/rendering/RenderFileUploadControl.cpp b/src/3rdparty/webkit/WebCore/rendering/RenderFileUploadControl.cpp index 14d126d..6a5c1e0 100644 --- a/src/3rdparty/webkit/WebCore/rendering/RenderFileUploadControl.cpp +++ b/src/3rdparty/webkit/WebCore/rendering/RenderFileUploadControl.cpp @@ -114,10 +114,10 @@ String RenderFileUploadControl::acceptTypes() return static_cast<HTMLInputElement*>(node())->accept(); } -void RenderFileUploadControl::chooseIconForFiles(const Vector<String>& filenames) +void RenderFileUploadControl::chooseIconForFiles(FileChooser* chooser, const Vector<String>& filenames) { if (Chrome* chromePointer = chrome()) - chromePointer->chooseIconForFiles(filenames, m_fileChooser); + chromePointer->chooseIconForFiles(filenames, chooser); } void RenderFileUploadControl::click() @@ -195,6 +195,7 @@ void RenderFileUploadControl::paintObject(PaintInfo& paintInfo, int tx, int ty) { if (style()->visibility() != VISIBLE) return; + ASSERT(m_fileChooser); // Push a clip. if (paintInfo.phase == PaintPhaseForeground || paintInfo.phase == PaintPhaseChildBlockBackgrounds) { diff --git a/src/3rdparty/webkit/WebCore/rendering/RenderFileUploadControl.h b/src/3rdparty/webkit/WebCore/rendering/RenderFileUploadControl.h index a5f3367..25d2639 100644 --- a/src/3rdparty/webkit/WebCore/rendering/RenderFileUploadControl.h +++ b/src/3rdparty/webkit/WebCore/rendering/RenderFileUploadControl.h @@ -63,7 +63,7 @@ private: void repaint() { RenderBlock::repaint(); } bool allowsMultipleFiles(); String acceptTypes(); - void chooseIconForFiles(const Vector<String>&); + void chooseIconForFiles(FileChooser*, const Vector<String>&); Chrome* chrome() const; int maxFilenameWidth() const; |