[webkit-changes] [124491] trunk

Thu, 02 Aug 2012 13:44:22 -0700

Title: [124491] trunk
Revision
124491
Author
[email protected]
Date
2012-08-02 13:44:31 -0700 (Thu, 02 Aug 2012)

Log Message

No isChildAllowed checked when adding RenderFullScreen as the child..
https://bugs.webkit.org/show_bug.cgi?id=92995

Reviewed by Eric Seidel.

Source/WebCore:

Test: fullscreen/fullscreen-child-not-allowed-crash.html

* dom/Document.cpp:
(WebCore::Document::webkitWillEnterFullScreenForElement): pass the object's parent
pointer as an additional argument.
* dom/NodeRenderingContext.cpp:
(WebCore::NodeRendererFactory::createRendererIfNeeded): pass the to be parent |parentRenderer|
as the argument.
* rendering/RenderFullScreen.cpp:
(RenderFullScreen::wrapRenderer): make sure that parent allows RenderFullScreen as the child.
* rendering/RenderFullScreen.h:
(RenderFullScreen): support the object's parent
pointer as an additional argument.

LayoutTests:

* fullscreen/fullscreen-child-not-allowed-crash-expected.txt: Added.
* fullscreen/fullscreen-child-not-allowed-crash.html: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (124490 => 124491)


--- trunk/LayoutTests/ChangeLog	2012-08-02 20:33:42 UTC (rev 124490)
+++ trunk/LayoutTests/ChangeLog	2012-08-02 20:44:31 UTC (rev 124491)
@@ -1,3 +1,13 @@
+2012-08-02  Abhishek Arya  <[email protected]>
+
+        No isChildAllowed checked when adding RenderFullScreen as the child..
+        https://bugs.webkit.org/show_bug.cgi?id=92995
+
+        Reviewed by Eric Seidel.
+
+        * fullscreen/fullscreen-child-not-allowed-crash-expected.txt: Added.
+        * fullscreen/fullscreen-child-not-allowed-crash.html: Added.
+
 2012-08-02  Philip Rogers  <[email protected]>
 
         Do not dispatch modification events in SVG attribute synchronization

Added: trunk/LayoutTests/fullscreen/fullscreen-child-not-allowed-crash-expected.txt (0 => 124491)


--- trunk/LayoutTests/fullscreen/fullscreen-child-not-allowed-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fullscreen/fullscreen-child-not-allowed-crash-expected.txt	2012-08-02 20:44:31 UTC (rev 124491)
@@ -0,0 +1,4 @@
+Test passes if it does not crash.
+
+END OF TEST
+

Added: trunk/LayoutTests/fullscreen/fullscreen-child-not-allowed-crash.html (0 => 124491)


--- trunk/LayoutTests/fullscreen/fullscreen-child-not-allowed-crash.html	                        (rev 0)
+++ trunk/LayoutTests/fullscreen/fullscreen-child-not-allowed-crash.html	2012-08-02 20:44:31 UTC (rev 124491)
@@ -0,0 +1,29 @@
+<!DOCTYPE html>
+<html>
+<script src=""
+<body _onload_="init()">
+<p>Test passes if it does not crash.</p>
+<div id="div1">
+<script>
+var init = function() {
+    // Bail out early if the full screen API is not enabled or is missing:
+    if (Element.prototype.webkitRequestFullScreen == undefined) {
+        logResult(false, "Element.prototype.webkitRequestFullScreen == undefined");
+        endTest();
+    } else {
+        runWithKeyDown(function() { div1.webkitRequestFullScreen() });        
+    }
+    
+    frameset1 = document.createElementNS("http://www.w3.org/1999/xhtml", "frameset");
+    document.body.appendChild(frameset1);
+    setTimeout("crash()", 0);
+};
+
+function crash() {
+    frameset1.appendChild(div1);
+	if (window.eventSender)
+        eventSender.keyDown("X");
+    endTest();
+}
+</script>
+</html>
Property changes on: trunk/LayoutTests/fullscreen/fullscreen-child-not-allowed-crash.html
___________________________________________________________________

Added: svn:executable

Modified: trunk/Source/WebCore/ChangeLog (124490 => 124491)


--- trunk/Source/WebCore/ChangeLog	2012-08-02 20:33:42 UTC (rev 124490)
+++ trunk/Source/WebCore/ChangeLog	2012-08-02 20:44:31 UTC (rev 124491)
@@ -1,3 +1,24 @@
+2012-08-02  Abhishek Arya  <[email protected]>
+
+        No isChildAllowed checked when adding RenderFullScreen as the child..
+        https://bugs.webkit.org/show_bug.cgi?id=92995
+
+        Reviewed by Eric Seidel.
+
+        Test: fullscreen/fullscreen-child-not-allowed-crash.html
+
+        * dom/Document.cpp:
+        (WebCore::Document::webkitWillEnterFullScreenForElement): pass the object's parent
+        pointer as an additional argument.
+        * dom/NodeRenderingContext.cpp:
+        (WebCore::NodeRendererFactory::createRendererIfNeeded): pass the to be parent |parentRenderer|
+        as the argument. 
+        * rendering/RenderFullScreen.cpp:
+        (RenderFullScreen::wrapRenderer): make sure that parent allows RenderFullScreen as the child.
+        * rendering/RenderFullScreen.h: 
+        (RenderFullScreen): support the object's parent
+        pointer as an additional argument.
+
 2012-08-01  James Robinson  <[email protected]>
 
         [chromium] Wrap shared context getters in WebKit API and avoid WebCore::GraphicsContext3D use in compositor internals

Modified: trunk/Source/WebCore/dom/Document.cpp (124490 => 124491)


--- trunk/Source/WebCore/dom/Document.cpp	2012-08-02 20:33:42 UTC (rev 124490)
+++ trunk/Source/WebCore/dom/Document.cpp	2012-08-02 20:44:31 UTC (rev 124491)
@@ -5614,7 +5614,7 @@
     }
 
     if (m_fullScreenElement != documentElement())
-        RenderFullScreen::wrapRenderer(renderer, this);
+        RenderFullScreen::wrapRenderer(renderer, renderer ? renderer->parent() : 0, this);
 
     m_fullScreenElement->setContainsFullScreenElementOnAncestorsCrossingFrameBoundaries(true);

Modified: trunk/Source/WebCore/dom/NodeRenderingContext.cpp (124490 => 124491)


--- trunk/Source/WebCore/dom/NodeRenderingContext.cpp	2012-08-02 20:33:42 UTC (rev 124490)
+++ trunk/Source/WebCore/dom/NodeRenderingContext.cpp	2012-08-02 20:44:31 UTC (rev 124491)
@@ -325,7 +325,7 @@
 
 #if ENABLE(FULLSCREEN_API)
     if (document->webkitIsFullScreen() && document->webkitCurrentFullScreenElement() == node)
-        newRenderer = RenderFullScreen::wrapRenderer(newRenderer, document);
+        newRenderer = RenderFullScreen::wrapRenderer(newRenderer, parentRenderer, document);
 #endif
 
     if (!newRenderer)

Modified: trunk/Source/WebCore/rendering/RenderFullScreen.cpp (124490 => 124491)


--- trunk/Source/WebCore/rendering/RenderFullScreen.cpp	2012-08-02 20:33:42 UTC (rev 124490)
+++ trunk/Source/WebCore/rendering/RenderFullScreen.cpp	2012-08-02 20:44:31 UTC (rev 124491)
@@ -105,11 +105,17 @@
     return fullscreenStyle.release();
 }
 
-RenderObject* RenderFullScreen::wrapRenderer(RenderObject* object, Document* document)
+RenderObject* RenderFullScreen::wrapRenderer(RenderObject* object, RenderObject* parent, Document* document)
 {
     RenderFullScreen* fullscreenRenderer = new (document->renderArena()) RenderFullScreen(document);
     fullscreenRenderer->setStyle(createFullScreenStyle());
+    if (parent && !parent->isChildAllowed(fullscreenRenderer, fullscreenRenderer->style())) {
+        fullscreenRenderer->destroy();
+        return 0;
+    }
     if (object) {
+        // |object->parent()| can be null if the object is not yet attached
+        // to |parent|.
         if (RenderObject* parent = object->parent()) {
             parent->addChild(fullscreenRenderer, object);
             object->remove();

Modified: trunk/Source/WebCore/rendering/RenderFullScreen.h (124490 => 124491)


--- trunk/Source/WebCore/rendering/RenderFullScreen.h	2012-08-02 20:33:42 UTC (rev 124490)
+++ trunk/Source/WebCore/rendering/RenderFullScreen.h	2012-08-02 20:44:31 UTC (rev 124491)
@@ -42,7 +42,7 @@
     void createPlaceholder(PassRefPtr<RenderStyle>, const LayoutRect& frameRect);
 
 
-    static RenderObject* wrapRenderer(RenderObject* renderer, Document*);
+    static RenderObject* wrapRenderer(RenderObject*, RenderObject*, Document*);
     void unwrapRenderer();
 
 private:

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to