From 65966ae193adfef8d40419ad9c11515b0e56f257 Mon Sep 17 00:00:00 2001 From: Cary Clark Date: Wed, 21 Apr 2010 14:18:24 -0400 Subject: nextTextField may walk off the end or try invalid frames Rewrote nextTextField() to check range and frame, and to more resemble other node walkers. Caller no longer passes uninitialized frame in focused case, and looks at parent frames after the target node. Change-Id: I7ea9dffb75d28bdd9d71d83921058feca6baf928 http://b/2607250 --- WebKit/android/nav/CachedFrame.cpp | 29 ++++++++++++++--------------- 1 file changed, 14 insertions(+), 15 deletions(-) (limited to 'WebKit/android/nav/CachedFrame.cpp') diff --git a/WebKit/android/nav/CachedFrame.cpp b/WebKit/android/nav/CachedFrame.cpp index 21a4115..ce5600b 100644 --- a/WebKit/android/nav/CachedFrame.cpp +++ b/WebKit/android/nav/CachedFrame.cpp @@ -928,28 +928,27 @@ int CachedFrame::maxWorkingVertical() const } const CachedNode* CachedFrame::nextTextField(const CachedNode* start, - const CachedFrame** framePtr) const + const CachedFrame** framePtr, bool* startFound) const { - CachedNode* test; - if (start) { - test = const_cast(start); - test++; - } else { - test = const_cast(mCachedNodes.begin()); - } - while (test != mCachedNodes.end()) { - CachedFrame* frame = const_cast(hasFrame(test)); + const CachedNode* test = mCachedNodes.begin(); + while ((test = test->traverseNextNode())) { + const CachedFrame* frame = hasFrame(test); if (frame) { + if (!frame->validDocument()) + continue; const CachedNode* node - = frame->nextTextField(0, framePtr); + = frame->nextTextField(start, framePtr, startFound); if (node) return node; } else if (test->isTextInput()) { - if (framePtr) - *framePtr = this; - return test; + if (test == start) + *startFound = true; + else if (*startFound) { + if (framePtr) + *framePtr = this; + return test; + } } - test++; } return 0; } -- cgit v1.1