Diff
Modified: branches/safari-534.51-branch/LayoutTests/ChangeLog (92916 => 92917)
--- branches/safari-534.51-branch/LayoutTests/ChangeLog 2011-08-12 04:39:37 UTC (rev 92916)
+++ branches/safari-534.51-branch/LayoutTests/ChangeLog 2011-08-12 04:54:26 UTC (rev 92917)
@@ -1,5 +1,26 @@
2011-08-11 Lucas Forschler <[email protected]>
+ Merged 89987
+
+ 2011-06-28 Roland Steiner <[email protected]>
+
+ Reviewed by Eric Seidel.
+
+ Bug 55930 - (CVE-2011-1440) Incorrect handling of 'display:' property within nested <ruby> tags
+ https://bugs.webkit.org/show_bug.cgi?id=55930
+
+ Test that a generated block child + counter within a <ruby> doesn't crash.
+ (Test as provided by original reporter).
+
+ * fast/ruby/generated-after-counter-doesnt-crash-expected.txt: Added.
+ * fast/ruby/generated-after-counter-doesnt-crash.html: Added.
+ * fast/ruby/generated-before-and-after-counter-doesnt-crash-expected.txt: Added.
+ * fast/ruby/generated-before-and-after-counter-doesnt-crash.html: Added.
+ * fast/ruby/generated-before-counter-doesnt-crash-expected.txt: Added.
+ * fast/ruby/generated-before-counter-doesnt-crash.html: Added.
+
+2011-08-11 Lucas Forschler <[email protected]>
+
Merged 88434
2011-06-09 Adam Barth <[email protected]>
Copied: branches/safari-534.51-branch/LayoutTests/fast/ruby/generated-after-counter-doesnt-crash-expected.txt (from rev 89987, trunk/LayoutTests/fast/ruby/generated-after-counter-doesnt-crash-expected.txt) (0 => 92917)
--- branches/safari-534.51-branch/LayoutTests/fast/ruby/generated-after-counter-doesnt-crash-expected.txt (rev 0)
+++ branches/safari-534.51-branch/LayoutTests/fast/ruby/generated-after-counter-doesnt-crash-expected.txt 2011-08-12 04:54:26 UTC (rev 92917)
@@ -0,0 +1,2 @@
+Blocked access to external URL http://XX/
+This test passes if it doesn't crash.
Copied: branches/safari-534.51-branch/LayoutTests/fast/ruby/generated-after-counter-doesnt-crash.html (from rev 89987, trunk/LayoutTests/fast/ruby/generated-after-counter-doesnt-crash.html) (0 => 92917)
--- branches/safari-534.51-branch/LayoutTests/fast/ruby/generated-after-counter-doesnt-crash.html (rev 0)
+++ branches/safari-534.51-branch/LayoutTests/fast/ruby/generated-after-counter-doesnt-crash.html 2011-08-12 04:54:26 UTC (rev 92917)
@@ -0,0 +1,26 @@
+<html>
+<script>
+ if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+</script>
+<style type="text/css">
+
+ruby:after{
+ counter-reset: g -2532653 K -48696899414062 ll -48202514648437 rr -1821899414062;
+}
+ruby::after{
+ display: table;
+ content: url("http://XX");
+}
+
+</style>
+ <ruby>
+ <ruby>
+ <ruby>
+<style type="text/css">
+ruby{
+ float: left;
+}
+</style>
+ <ruby>
+This test passes if it doesn't crash.
Copied: branches/safari-534.51-branch/LayoutTests/fast/ruby/generated-before-and-after-counter-doesnt-crash-expected.txt (from rev 89987, trunk/LayoutTests/fast/ruby/generated-before-and-after-counter-doesnt-crash-expected.txt) (0 => 92917)
--- branches/safari-534.51-branch/LayoutTests/fast/ruby/generated-before-and-after-counter-doesnt-crash-expected.txt (rev 0)
+++ branches/safari-534.51-branch/LayoutTests/fast/ruby/generated-before-and-after-counter-doesnt-crash-expected.txt 2011-08-12 04:54:26 UTC (rev 92917)
@@ -0,0 +1,3 @@
+Blocked access to external URL http://XX/
+Blocked access to external URL http://YY/
+This test passes if it doesn't crash.
Copied: branches/safari-534.51-branch/LayoutTests/fast/ruby/generated-before-and-after-counter-doesnt-crash.html (from rev 89987, trunk/LayoutTests/fast/ruby/generated-before-and-after-counter-doesnt-crash.html) (0 => 92917)
--- branches/safari-534.51-branch/LayoutTests/fast/ruby/generated-before-and-after-counter-doesnt-crash.html (rev 0)
+++ branches/safari-534.51-branch/LayoutTests/fast/ruby/generated-before-and-after-counter-doesnt-crash.html 2011-08-12 04:54:26 UTC (rev 92917)
@@ -0,0 +1,33 @@
+<html>
+<script>
+ if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+</script>
+<style type="text/css">
+
+ruby:before{
+ counter-reset: g -2532653 K -48696899414062 ll -48202514648437 rr -1821899414062;
+}
+ruby::before{
+ display: table;
+ content: url("http://XX");
+}
+ruby:after{
+ counter-reset: g -2532653 K -48696899414062 ll -48202514648437 rr -1821899414062;
+}
+ruby::after{
+ display: table;
+ content: url("http://YY");
+}
+
+</style>
+ <ruby>
+ <ruby>
+ <ruby>
+<style type="text/css">
+ruby{
+ float: left;
+}
+</style>
+ <ruby>
+This test passes if it doesn't crash.
Copied: branches/safari-534.51-branch/LayoutTests/fast/ruby/generated-before-counter-doesnt-crash-expected.txt (from rev 89987, trunk/LayoutTests/fast/ruby/generated-before-counter-doesnt-crash-expected.txt) (0 => 92917)
--- branches/safari-534.51-branch/LayoutTests/fast/ruby/generated-before-counter-doesnt-crash-expected.txt (rev 0)
+++ branches/safari-534.51-branch/LayoutTests/fast/ruby/generated-before-counter-doesnt-crash-expected.txt 2011-08-12 04:54:26 UTC (rev 92917)
@@ -0,0 +1,2 @@
+Blocked access to external URL http://XX/
+This test passes if it doesn't crash.
Copied: branches/safari-534.51-branch/LayoutTests/fast/ruby/generated-before-counter-doesnt-crash.html (from rev 89987, trunk/LayoutTests/fast/ruby/generated-before-counter-doesnt-crash.html) (0 => 92917)
--- branches/safari-534.51-branch/LayoutTests/fast/ruby/generated-before-counter-doesnt-crash.html (rev 0)
+++ branches/safari-534.51-branch/LayoutTests/fast/ruby/generated-before-counter-doesnt-crash.html 2011-08-12 04:54:26 UTC (rev 92917)
@@ -0,0 +1,26 @@
+<html>
+<script>
+ if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+</script>
+<style type="text/css">
+
+ruby:before{
+ counter-reset: g -2532653 K -48696899414062 ll -48202514648437 rr -1821899414062;
+}
+ruby::before{
+ display: table;
+ content: url("http://XX");
+}
+
+</style>
+ <ruby>
+ <ruby>
+ <ruby>
+<style type="text/css">
+ruby{
+ float: right;
+}
+</style>
+ <ruby>
+This test passes if it doesn't crash.
Modified: branches/safari-534.51-branch/Source/WebCore/ChangeLog (92916 => 92917)
--- branches/safari-534.51-branch/Source/WebCore/ChangeLog 2011-08-12 04:39:37 UTC (rev 92916)
+++ branches/safari-534.51-branch/Source/WebCore/ChangeLog 2011-08-12 04:54:26 UTC (rev 92917)
@@ -1,5 +1,33 @@
2011-08-11 Lucas Forschler <[email protected]>
+ Merged 89987
+
+ 2011-06-28 Roland Steiner <[email protected]>
+
+ Reviewed by Eric Seidel.
+
+ Bug 55930 - (CVE-2011-1440) Incorrect handling of 'display:' property within nested <ruby> tags
+ https://bugs.webkit.org/show_bug.cgi?id=55930
+
+ Don't set style type BEFORE/AFTER on anonymous wrapper block.
+ Rather, check style type on generated wrapped child.
+
+ Tests: fast/ruby/generated-after-counter-doesnt-crash.html
+ fast/ruby/generated-before-and-after-counter-doesnt-crash.html
+ fast/ruby/generated-before-counter-doesnt-crash.html
+
+ * rendering/RenderRuby.cpp:
+ (WebCore::isAnonymousRubyInlineBlock):
+ (WebCore::isRubyBeforeBlock):
+ (WebCore::isRubyAfterBlock):
+ (WebCore::rubyBeforeBlock):
+ (WebCore::rubyAfterBlock):
+ (WebCore::createAnonymousRubyInlineBlock):
+ (WebCore::RenderRubyAsInline::addChild):
+ (WebCore::RenderRubyAsBlock::addChild):
+
+2011-08-11 Lucas Forschler <[email protected]>
+
Merged 89214
2011-06-19 Michael Saboff <[email protected]>
Modified: branches/safari-534.51-branch/Source/WebCore/rendering/RenderRuby.cpp (92916 => 92917)
--- branches/safari-534.51-branch/Source/WebCore/rendering/RenderRuby.cpp 2011-08-12 04:39:37 UTC (rev 92916)
+++ branches/safari-534.51-branch/Source/WebCore/rendering/RenderRuby.cpp 2011-08-12 04:54:26 UTC (rev 92917)
@@ -40,33 +40,53 @@
//=== generic helper functions to avoid excessive code duplication ===
-static inline bool isAnonymousRubyInlineBlock(RenderObject* object)
+static inline bool isAnonymousRubyInlineBlock(const RenderObject* object)
{
- ASSERT(!object->parent()->isRuby()
+ ASSERT(!object
+ || !object->parent()->isRuby()
|| object->isRubyRun()
|| (object->isInline() && (object->isBeforeContent() || object->isAfterContent()))
|| (object->isAnonymous() && object->isRenderBlock() && object->style()->display() == INLINE_BLOCK));
- return object->parent()->isRuby() && object->isRenderBlock() && !object->isRubyRun();
+
+ return object
+ && object->parent()->isRuby()
+ && object->isRenderBlock()
+ && !object->isRubyRun();
}
+static inline bool isRubyBeforeBlock(const RenderObject* object)
+{
+ return isAnonymousRubyInlineBlock(object)
+ && !object->previousSibling()
+ && object->firstChild()
+ && object->firstChild()->style()->styleType() == BEFORE;
+}
+
+static inline bool isRubyAfterBlock(const RenderObject* object)
+{
+ return isAnonymousRubyInlineBlock(object)
+ && !object->nextSibling()
+ && object->firstChild()
+ && object->firstChild()->style()->styleType() == AFTER;
+}
+
static inline RenderBlock* rubyBeforeBlock(const RenderObject* ruby)
{
RenderObject* child = ruby->firstChild();
- return child && !child->isRubyRun() && child->isRenderBlock() && child->style()->styleType() == BEFORE ? static_cast<RenderBlock*>(child) : 0;
+ return isRubyBeforeBlock(child) ? static_cast<RenderBlock*>(child) : 0;
}
static inline RenderBlock* rubyAfterBlock(const RenderObject* ruby)
{
RenderObject* child = ruby->lastChild();
- return child && !child->isRubyRun() && child->isRenderBlock() && child->style()->styleType() == AFTER ? static_cast<RenderBlock*>(child) : 0;
+ return isRubyAfterBlock(child) ? static_cast<RenderBlock*>(child) : 0;
}
-static RenderBlock* createAnonymousRubyInlineBlock(RenderObject* ruby, PseudoId styleType)
+static RenderBlock* createAnonymousRubyInlineBlock(RenderObject* ruby)
{
RefPtr<RenderStyle> newStyle = RenderStyle::createAnonymousStyle(ruby->style());
newStyle->setDisplay(INLINE_BLOCK);
- newStyle->setStyleType(styleType);
-
+
RenderBlock* newBlock = new (ruby->renderArena()) RenderBlock(ruby->document() /* anonymous box */);
newBlock->setStyle(newStyle.release());
return newBlock;
@@ -110,7 +130,7 @@
// Wrap non-inline content with an anonymous inline-block.
RenderBlock* beforeBlock = rubyBeforeBlock(this);
if (!beforeBlock) {
- beforeBlock = createAnonymousRubyInlineBlock(this, BEFORE);
+ beforeBlock = createAnonymousRubyInlineBlock(this);
RenderInline::addChild(beforeBlock, firstChild());
}
beforeBlock->addChild(child);
@@ -125,7 +145,7 @@
// Wrap non-inline content with an anonymous inline-block.
RenderBlock* afterBlock = rubyAfterBlock(this);
if (!afterBlock) {
- afterBlock = createAnonymousRubyInlineBlock(this, AFTER);
+ afterBlock = createAnonymousRubyInlineBlock(this);
RenderInline::addChild(afterBlock);
}
afterBlock->addChild(child);
@@ -211,7 +231,7 @@
// Wrap non-inline content with an anonymous inline-block.
RenderBlock* beforeBlock = rubyBeforeBlock(this);
if (!beforeBlock) {
- beforeBlock = createAnonymousRubyInlineBlock(this, BEFORE);
+ beforeBlock = createAnonymousRubyInlineBlock(this);
RenderBlock::addChild(beforeBlock, firstChild());
}
beforeBlock->addChild(child);
@@ -226,7 +246,7 @@
// Wrap non-inline content with an anonymous inline-block.
RenderBlock* afterBlock = rubyAfterBlock(this);
if (!afterBlock) {
- afterBlock = createAnonymousRubyInlineBlock(this, AFTER);
+ afterBlock = createAnonymousRubyInlineBlock(this);
RenderBlock::addChild(afterBlock);
}
afterBlock->addChild(child);
