Skip to site navigation (Press enter)

[webkit-changes] [273868] trunk/Source/WebCore

commit-queue Wed, 03 Mar 2021 18:14:27 -0800

Title: [273868] trunk/Source/WebCore

Revision: 273868
Author: commit-qu...@webkit.org
Date: 2021-03-03 18:13:28 -0800 (Wed, 03 Mar 2021)

Log Message

Crash in removeSymbolElementsFromSubtree()
https://bugs.webkit.org/show_bug.cgi?id=222397


Patch by Julian Gonzalez <julian_a_gonza...@apple.com> on 2021-03-03
Reviewed by Ryosuke Niwa.

Skip children in removeSymbolElementsFromSubtree(), so that
we don't see nodes that have been removed in disassociateAndRemoveClones.

Thanks to Darin Adler for the initial version of this patch
and Ryosuke Niwa for refinements.

* svg/SVGUseElement.cpp:
(WebCore::removeSymbolElementsFromSubtree):

Modified Paths

trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/svg/SVGUseElement.cpp

Diff

Modified: trunk/Source/WebCore/ChangeLog (273867 => 273868)


--- trunk/Source/WebCore/ChangeLog	2021-03-04 01:49:00 UTC (rev 273867)
+++ trunk/Source/WebCore/ChangeLog	2021-03-04 02:13:28 UTC (rev 273868)
@@ -1,3 +1,19 @@
+2021-03-03  Julian Gonzalez  <julian_a_gonza...@apple.com>
+
+        Crash in removeSymbolElementsFromSubtree()
+        https://bugs.webkit.org/show_bug.cgi?id=222397
+
+        Reviewed by Ryosuke Niwa.
+
+        Skip children in removeSymbolElementsFromSubtree(), so that
+        we don't see nodes that have been removed in disassociateAndRemoveClones.
+
+        Thanks to Darin Adler for the initial version of this patch
+        and Ryosuke Niwa for refinements.
+
+        * svg/SVGUseElement.cpp:
+        (WebCore::removeSymbolElementsFromSubtree):
+
 2021-03-03  Ryosuke Niwa  <rn...@webkit.org>
 
         Nulllptr crash in DeleteSelectionCommand::handleGeneralDelete()

Modified: trunk/Source/WebCore/svg/SVGUseElement.cpp (273867 => 273868)


--- trunk/Source/WebCore/svg/SVGUseElement.cpp	2021-03-04 01:49:00 UTC (rev 273867)
+++ trunk/Source/WebCore/svg/SVGUseElement.cpp	2021-03-04 02:13:28 UTC (rev 273868)
@@ -350,8 +350,14 @@
     // into <svg> elements, which is correct for symbol elements directly referenced by use elements,
     // but incorrect for ones that just happen to be in a subtree.
     Vector<Element*> symbolElements;
-    for (auto& descendant : descendantsOfType<SVGSymbolElement>(subtree))
-        symbolElements.append(&descendant);
+    for (auto it = descendantsOfType<Element>(subtree).begin(); it; ) {
+        if (is<SVGSymbolElement>(*it)) {
+            symbolElements.append(&*it);
+            it.traverseNextSkippingChildren();
+            continue;
+        }
+        ++it;
+    }
     disassociateAndRemoveClones(symbolElements);
 }

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes