diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/3rdparty/webkit/VERSION | 2 | ||||
-rw-r--r-- | src/3rdparty/webkit/WebCore/ChangeLog | 28 | ||||
-rw-r--r-- | src/3rdparty/webkit/WebCore/svg/SVGList.h | 6 |
3 files changed, 34 insertions, 2 deletions
diff --git a/src/3rdparty/webkit/VERSION b/src/3rdparty/webkit/VERSION index 7d5d1c5..2be6d53 100644 --- a/src/3rdparty/webkit/VERSION +++ b/src/3rdparty/webkit/VERSION @@ -8,4 +8,4 @@ The commit imported was from the and has the sha1 checksum - 4ee8af9348b3f57d3c0f3575ae0a58336cf07a92 + 44bbcef18007e00c6cfee294640c5cfc9e464aa4 diff --git a/src/3rdparty/webkit/WebCore/ChangeLog b/src/3rdparty/webkit/WebCore/ChangeLog index 072beee..fb31572 100644 --- a/src/3rdparty/webkit/WebCore/ChangeLog +++ b/src/3rdparty/webkit/WebCore/ChangeLog @@ -1,3 +1,31 @@ +2009-05-15 Adam Barth <abarth@webkit.org> + + Reviewed by Oliver Hunt. + + https://bugs.webkit.org/show_bug.cgi?id=25741 + + Append instead of throwing when insertItemBefore gets an out-of-bound + index. + + Test: svg/dom/svglist-insertItemBefore-appends.html + + * svg/SVGList.h: + (WebCore::SVGList::insertItemBefore): + +2009-03-19 Oliver Hunt <oliver@apple.com> + + Reviewed by Darin Adler. + + <rdar://problem/6702386> Incorrect bound check in SVGList::insertItemBefore + + SVGList::insertItemBefore would not perform a bounds check on the + index it was provided, potentially leading to a buffer overflow. + + Test: svg/dom/svglist-exception-on-out-bounds-error.html + + * svg/SVGList.h: + (WebCore::SVGList::insertItemBefore): + 2009-05-19 Kenneth Rohde Christiansen <kenneth.christiansen@openbossa.org> Reviewed by Simon Hausmann. diff --git a/src/3rdparty/webkit/WebCore/svg/SVGList.h b/src/3rdparty/webkit/WebCore/svg/SVGList.h index d4f7641..5381598 100644 --- a/src/3rdparty/webkit/WebCore/svg/SVGList.h +++ b/src/3rdparty/webkit/WebCore/svg/SVGList.h @@ -96,7 +96,11 @@ namespace WebCore { Item insertItemBefore(Item newItem, unsigned int index, ExceptionCode&) { - m_vector.insert(index, newItem); + if (index < m_vector.size()) { + m_vector.insert(index, newItem); + } else { + m_vector.append(newItem); + } return newItem; } |