summaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/3rdparty/webkit/VERSION2
-rw-r--r--src/3rdparty/webkit/WebCore/ChangeLog28
-rw-r--r--src/3rdparty/webkit/WebCore/svg/SVGList.h6
3 files changed, 34 insertions, 2 deletions
diff --git a/src/3rdparty/webkit/VERSION b/src/3rdparty/webkit/VERSION
index 7d5d1c5..2be6d53 100644
--- a/src/3rdparty/webkit/VERSION
+++ b/src/3rdparty/webkit/VERSION
@@ -8,4 +8,4 @@ The commit imported was from the
and has the sha1 checksum
- 4ee8af9348b3f57d3c0f3575ae0a58336cf07a92
+ 44bbcef18007e00c6cfee294640c5cfc9e464aa4
diff --git a/src/3rdparty/webkit/WebCore/ChangeLog b/src/3rdparty/webkit/WebCore/ChangeLog
index 072beee..fb31572 100644
--- a/src/3rdparty/webkit/WebCore/ChangeLog
+++ b/src/3rdparty/webkit/WebCore/ChangeLog
@@ -1,3 +1,31 @@
+2009-05-15 Adam Barth <abarth@webkit.org>
+
+ Reviewed by Oliver Hunt.
+
+ https://bugs.webkit.org/show_bug.cgi?id=25741
+
+ Append instead of throwing when insertItemBefore gets an out-of-bound
+ index.
+
+ Test: svg/dom/svglist-insertItemBefore-appends.html
+
+ * svg/SVGList.h:
+ (WebCore::SVGList::insertItemBefore):
+
+2009-03-19 Oliver Hunt <oliver@apple.com>
+
+ Reviewed by Darin Adler.
+
+ <rdar://problem/6702386> Incorrect bound check in SVGList::insertItemBefore
+
+ SVGList::insertItemBefore would not perform a bounds check on the
+ index it was provided, potentially leading to a buffer overflow.
+
+ Test: svg/dom/svglist-exception-on-out-bounds-error.html
+
+ * svg/SVGList.h:
+ (WebCore::SVGList::insertItemBefore):
+
2009-05-19 Kenneth Rohde Christiansen <kenneth.christiansen@openbossa.org>
Reviewed by Simon Hausmann.
diff --git a/src/3rdparty/webkit/WebCore/svg/SVGList.h b/src/3rdparty/webkit/WebCore/svg/SVGList.h
index d4f7641..5381598 100644
--- a/src/3rdparty/webkit/WebCore/svg/SVGList.h
+++ b/src/3rdparty/webkit/WebCore/svg/SVGList.h
@@ -96,7 +96,11 @@ namespace WebCore {
Item insertItemBefore(Item newItem, unsigned int index, ExceptionCode&)
{
- m_vector.insert(index, newItem);
+ if (index < m_vector.size()) {
+ m_vector.insert(index, newItem);
+ } else {
+ m_vector.append(newItem);
+ }
return newItem;
}