2011-03-10 Berend-Jan Wever <skylined@chromium.org>

        Reviewed by Darin Adler.

        Calling focus() on an area element not in a document should not cause a NULL ptr crash
        https://bugs.webkit.org/show_bug.cgi?id=54877

        * fast/dom/HTMLAreaElement: Added.
        * fast/dom/HTMLAreaElement/area-islink-focus-null-ptr-crash-expected.txt: Added.
        * fast/dom/HTMLAreaElement/area-islink-focus-null-ptr-crash.html: Added.
2011-03-10  Berend-Jan Wever  <skylined@chromium.org>

        Reviewed by Darin Adler.

        Calling focus() on an area element not in a document should not cause a NULL ptr crash
        https://bugs.webkit.org/show_bug.cgi?id=54877

        Test: fast/dom/HTMLAreaElement/area-islink-focus-null-ptr-crash.html

        * dom/Element.cpp:
        (WebCore::Element::focus): Check element is in the document before allowing focus
        * html/HTMLAreaElement.cpp:
        (WebCore::HTMLAreaElement::imageElement): Check element has a parent before checking if its parent is a map

git-svn-id: svn://svn.chromium.org/blink/trunk@80779 bbb929c8-8fbe-4397-9dbb-9b2b20218538

third_party/WebKit/LayoutTests/ChangeLog

+2011-03-10  Berend-Jan Wever  <skylined@chromium.org>
+
+        Reviewed by Darin Adler.
+
+        Calling focus() on an area element not in a document should not cause a NULL ptr crash
+        https://bugs.webkit.org/show_bug.cgi?id=54877
+
+        * fast/dom/HTMLAreaElement: Added.
+        * fast/dom/HTMLAreaElement/area-islink-focus-null-ptr-crash-expected.txt: Added.
+        * fast/dom/HTMLAreaElement/area-islink-focus-null-ptr-crash.html: Added.
+
 2011-03-10  Ryosuke Niwa  <rniwa@webkit.org>
 
         Windows rebaselines for r80755.

third_party/WebKit/LayoutTests/fast/dom/HTMLAreaElement/area-islink-focus-null-ptr-crash-expected.txt

+PASS

third_party/WebKit/LayoutTests/fast/dom/HTMLAreaElement/area-islink-focus-null-ptr-crash.html

+<!--
+  http://code.google.com/p/chromium/issues/detail?id=73650
+  https://bugs.webkit.org/show_bug.cgi?id=54877
+-->
+<div id="log">FAIL</div>
+<script>
+  window.layoutTestController && layoutTestController.dumpAsText();
+
+  oArea = document.createElement('area');
+  oArea.href = 0;
+  oArea.focus();
+
+  log.innerHTML = "PASS";
+</script>

third_party/WebKit/Source/WebCore/ChangeLog

+2011-03-10  Berend-Jan Wever  <skylined@chromium.org>
+
+        Reviewed by Darin Adler.
+
+        Calling focus() on an area element not in a document should not cause a NULL ptr crash
+        https://bugs.webkit.org/show_bug.cgi?id=54877
+
+        Test: fast/dom/HTMLAreaElement/area-islink-focus-null-ptr-crash.html
+
+        * dom/Element.cpp:
+        (WebCore::Element::focus): Check element is in the document before allowing focus
+        * html/HTMLAreaElement.cpp: 
+        (WebCore::HTMLAreaElement::imageElement): Check element has a parent before checking if its parent is a map
+
 2011-03-10  Xiyuan Xia  <xiyuan@chromium.org>
 
         Reviewed by Tony Chang.

third_party/WebKit/Source/WebCore/dom/Element.cpp

@@ -1490,6 +1490,9 @@ CSSStyleDeclaration *Element::style()
 
 void Element::focus(bool restorePreviousSelection)
 {
+    if (!inDocument())
+        return;
+
     Document* doc = document();
     if (doc->focusedNode() == this)
         return;

third_party/WebKit/Source/WebCore/html/HTMLAreaElement.cpp

@@ -175,7 +175,7 @@ Path HTMLAreaElement::getRegion(const IntSize& size) const
 HTMLImageElement* HTMLAreaElement::imageElement() const
 {
     Node* mapElement = parentNode();
-    if (!mapElement->hasTagName(mapTag))
+    if (!mapElement || !mapElement->hasTagName(mapTag))
         return 0;
     
     return static_cast<HTMLMapElement*>(mapElement)->imageElement();