[webkit-changes] [112596] trunk/Source/WebCore

[jer . noble]

Title: [112596] trunk/Source/WebCore

Revision

112596

Author

jer.no...@apple.com

Date

2012-03-29 16:03:58 -0700 (Thu, 29 Mar 2012)

Log Message

Heap-use-after-free in WebCore::InlineFlowBox::deleteLine due to fullscreen issues.
https://bugs.webkit.org/show_bug.cgi?id=82055

Reviewed by David Hyatt.

No new tests; fixes fuzz test crasher which is not reproducible in DRT or WKTR.

When a RenderFullScreen object is inserted between a child and parent renderer, make sure the
parent renderer deletes its line boxes by calling setNeedsLayoutAndPrefWidthsRecalc().  This
forces its InlineBox renderers to be removed from the line boxes and their parents in the correct
order, fixing a double-delete crash.

The same is true when unwrapping the RenderFullScreen object, and when creating and inserting
the full screen placeholder.

* rendering/RenderFullScreen.cpp:
(RenderFullScreen::wrapRenderer):
(RenderFullScreen::unwrapRenderer):
(RenderFullScreen::createPlaceholder):

Modified Paths

• trunk/Source/WebCore/ChangeLog
• trunk/Source/WebCore/rendering/RenderFullScreen.cpp

Diff

Modified: trunk/Source/WebCore/ChangeLog (112595 => 112596)

--- trunk/Source/WebCore/ChangeLog	2012-03-29 23:01:46 UTC (rev 112595)
+++ trunk/Source/WebCore/ChangeLog	2012-03-29 23:03:58 UTC (rev 112596)
@@ -1,3 +1,25 @@
+2012-03-28  Jer Noble  <jer.no...@apple.com>
+
+        Heap-use-after-free in WebCore::InlineFlowBox::deleteLine due to fullscreen issues.
+        https://bugs.webkit.org/show_bug.cgi?id=82055
+
+        Reviewed by David Hyatt.
+
+        No new tests; fixes fuzz test crasher which is not reproducible in DRT or WKTR.
+
+        When a RenderFullScreen object is inserted between a child and parent renderer, make sure the
+        parent renderer deletes its line boxes by calling setNeedsLayoutAndPrefWidthsRecalc().  This
+        forces its InlineBox renderers to be removed from the line boxes and their parents in the correct
+        order, fixing a double-delete crash.
+
+        The same is true when unwrapping the RenderFullScreen object, and when creating and inserting
+        the full screen placeholder.
+
+        * rendering/RenderFullScreen.cpp:
+        (RenderFullScreen::wrapRenderer):
+        (RenderFullScreen::unwrapRenderer):
+        (RenderFullScreen::createPlaceholder):
+
 2012-03-29  Benjamin Poulain  <bpoul...@apple.com>
 
         Get rid of Geolocation::positionChangedInternal(), use positionChanged() directly

Modified: trunk/Source/WebCore/rendering/RenderFullScreen.cpp (112595 => 112596)

--- trunk/Source/WebCore/rendering/RenderFullScreen.cpp	2012-03-29 23:01:46 UTC (rev 112595)
+++ trunk/Source/WebCore/rendering/RenderFullScreen.cpp	2012-03-29 23:03:58 UTC (rev 112596)
@@ -113,8 +113,10 @@
         if (RenderObject* parent = object->parent()) {
             parent->addChild(fullscreenRenderer, object);
             object->remove();
+            parent->setNeedsLayoutAndPrefWidthsRecalc();
         }
         fullscreenRenderer->addChild(object);
+        fullscreenRenderer->setNeedsLayoutAndPrefWidthsRecalc();
     }
     document->setFullScreenRenderer(fullscreenRenderer);
     return fullscreenRenderer;
@@ -127,6 +129,7 @@
         while ((child = firstChild())) {
             child->remove();
             parent()->addChild(child, this);
+            parent()->setNeedsLayoutAndPrefWidthsRecalc();
         }
     }
     if (placeholder())
@@ -150,8 +153,10 @@
     if (!m_placeholder) {
         m_placeholder = new (document()->renderArena()) RenderFullScreenPlaceholder(this);
         m_placeholder->setStyle(style);
-        if (parent())
+        if (parent()) {
             parent()->addChild(m_placeholder, this);
+            parent()->setNeedsLayoutAndPrefWidthsRecalc();
+        }
     } else
         m_placeholder->setStyle(style);
 }

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes