4 files changed, 14 insertions, 9 deletions

diff --git a/WebCore/bindings/v8/custom/V8WebKitPointConstructor.cpp b/WebCore/bindings/v8/custom/V8WebKitPointConstructor.cpp
index 58f810b..1959454 100755
--- a/WebCore/bindings/v8/custom/V8WebKitPointConstructor.cpp
+++ b/WebCore/bindings/v8/custom/V8WebKitPointConstructor.cpp
@@ -43,6 +43,10 @@ namespace WebCore {
 v8::Handle<v8::Value> V8WebKitPoint::constructorCallback(const v8::Arguments& args)
 {
     INC_STATS("DOM.WebKitPoint.Constructor");
+
+    if (!args.IsConstructCall())
+        return throwError("DOM object constructor cannot be called as a function.");
+
     float x = 0;
     float y = 0;
     if (args.Length() > 1) {
diff --git a/WebCore/css/CSSPrimitiveValue.cpp b/WebCore/css/CSSPrimitiveValue.cpp
index 1f2c9ca..012aa56 100644
--- a/WebCore/css/CSSPrimitiveValue.cpp
+++ b/WebCore/css/CSSPrimitiveValue.cpp
@@ -477,9 +477,8 @@ void CSSPrimitiveValue::setFloatValue(unsigned short unitType, double floatValue
 {
     ec = 0;
 
-    // FIXME: check if property supports this type
-    if (m_type > CSS_DIMENSION) {
-        ec = SYNTAX_ERR;
+    if (m_type < CSS_NUMBER || m_type > CSS_DIMENSION || unitType < CSS_NUMBER || unitType > CSS_DIMENSION) {
+        ec = INVALID_ACCESS_ERR;
         return;
     }
 
@@ -568,10 +567,8 @@ void CSSPrimitiveValue::setStringValue(unsigned short stringType, const String&
 {
     ec = 0;
 
-    //if(m_type < CSS_STRING) throw DOMException(INVALID_ACCESS_ERR);
-    //if(m_type > CSS_ATTR) throw DOMException(INVALID_ACCESS_ERR);
-    if (m_type < CSS_STRING || m_type > CSS_ATTR) {
-        ec = SYNTAX_ERR;
+    if (m_type < CSS_STRING || m_type > CSS_ATTR || stringType < CSS_STRING || stringType > CSS_ATTR) {
+        ec = INVALID_ACCESS_ERR;
         return;
     }
 
diff --git a/WebCore/loader/DocumentThreadableLoader.cpp b/WebCore/loader/DocumentThreadableLoader.cpp
index de0a0b0..d0f6c04 100644
--- a/WebCore/loader/DocumentThreadableLoader.cpp
+++ b/WebCore/loader/DocumentThreadableLoader.cpp
@@ -287,6 +287,7 @@ void DocumentThreadableLoader::preflightSuccess()
 
 void DocumentThreadableLoader::preflightFailure()
 {
+    m_actualRequest = 0; // Prevent didFinishLoading() from bypassing access check.
     m_client->didFail(ResourceError());
 }
 
diff --git a/WebKit/android/jni/WebViewCore.cpp b/WebKit/android/jni/WebViewCore.cpp
index 9c64566..eafd91c 100644
--- a/WebKit/android/jni/WebViewCore.cpp
+++ b/WebKit/android/jni/WebViewCore.cpp
@@ -2073,8 +2073,11 @@ bool WebViewCore::handleTouchEvent(int action, int x, int y, int metaState)
     // Track previous touch and if stationary set the state.
     WebCore::IntPoint pt(x - m_scrollOffsetX, y - m_scrollOffsetY);
 
-    if (type == WebCore::TouchMove && pt == m_lastTouchPoint)
-        touchState = WebCore::PlatformTouchPoint::TouchStationary;
+//  handleTouchEvent() in EventHandler.cpp doesn't handle TouchStationary, which
+//  causes preventDefault be false when it returns. As our Java side may continue
+//  process the events if WebKit doesn't, it can cause unexpected result.
+//    if (type == WebCore::TouchMove && pt == m_lastTouchPoint)
+//        touchState = WebCore::PlatformTouchPoint::TouchStationary;
 
     m_lastTouchPoint = pt;