diff options
author | Cary Clark <cary@android.com> | 2009-06-03 16:01:34 -0400 |
---|---|---|
committer | Cary Clark <cary@android.com> | 2009-06-03 16:51:42 -0400 |
commit | df1815070cfd8d2ed6f7101d1b8d60d037c839e6 (patch) | |
tree | 22220c4d20b523f5900f16b5b5c6614e08fc6d43 /WebCore/bindings/js/JSImageConstructor.cpp | |
parent | d15fb80564c4e30b088ca87fa21a03d67675c662 (diff) | |
download | external_webkit-df1815070cfd8d2ed6f7101d1b8d60d037c839e6.zip external_webkit-df1815070cfd8d2ed6f7101d1b8d60d037c839e6.tar.gz external_webkit-df1815070cfd8d2ed6f7101d1b8d60d037c839e6.tar.bz2 |
browser security patches
Bug 25420: REGRESSION: XMLHttpRequest allows loading from another
origin
- fix: http://trac.webkit.org/changeset/42983
Bug 24575: Cross-origin XMLHttpRequest is always allowed
- fix: http://trac.webkit.org/projects/webkit/changeset/41667
Bug 21456: UXSS after navigation via directly referencing document
- fix: http://trac.webkit.org/changeset/42223
Bug 22655: Stack overflow crash in WebCore::RenderBlock::layout()
with deeply nested <div>s
- fix: http://trac.webkit.org/projects/webkit/changeset/41938
Diffstat (limited to 'WebCore/bindings/js/JSImageConstructor.cpp')
-rw-r--r-- | WebCore/bindings/js/JSImageConstructor.cpp | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/WebCore/bindings/js/JSImageConstructor.cpp b/WebCore/bindings/js/JSImageConstructor.cpp index 0dc55b4..54e8be7 100644 --- a/WebCore/bindings/js/JSImageConstructor.cpp +++ b/WebCore/bindings/js/JSImageConstructor.cpp @@ -56,7 +56,8 @@ static JSObject* constructImage(ExecState* exec, JSObject* constructor, const Ar } Document* document = static_cast<JSImageConstructor*>(constructor)->document(); - + if (!document) + return throwError(exec, ReferenceError, "Image constructor associated document is unavailable"); // Calling toJS on the document causes the JS document wrapper to be // added to the window object. This is done to ensure that JSDocument::mark // will be called (which will cause the image element to be marked if necessary). |