Title: [136060] trunk
- Revision
- 136060
- Author
- infe...@chromium.org
- Date
- 2012-11-28 14:46:59 -0800 (Wed, 28 Nov 2012)
Log Message
Source/WebCore: Heap-use-after-free in WebCore::RenderLayerModelObject::hasSelfPaintingL
LayoutTests: Heap-use-after-free in WebCore::RenderLayerModelObject::hasSelfPaintingLayer
https://bugs.webkit.org/show_bug.cgi?id=101970
Reviewed by David Hyatt.
* fast/block/float/float-not-removed-from-pre-block-expected.txt: Added.
* fast/block/float/float-not-removed-from-pre-block.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (136059 => 136060)
--- trunk/LayoutTests/ChangeLog 2012-11-28 22:39:12 UTC (rev 136059)
+++ trunk/LayoutTests/ChangeLog 2012-11-28 22:46:59 UTC (rev 136060)
@@ -1,3 +1,13 @@
+2012-11-28 Abhishek Arya <infe...@chromium.org>
+
+ Heap-use-after-free in WebCore::RenderLayerModelObject::hasSelfPaintingLayer
+ https://bugs.webkit.org/show_bug.cgi?id=101970
+
+ Reviewed by David Hyatt.
+
+ * fast/block/float/float-not-removed-from-pre-block-expected.txt: Added.
+ * fast/block/float/float-not-removed-from-pre-block.html: Added.
+
2012-11-28 Tony Chang <t...@chromium.org>
Move internals.settings.setPageScaleFactor to internals.setPageScaleFactor
Added: trunk/LayoutTests/fast/block/float/float-not-removed-from-pre-block-expected.txt (0 => 136060)
--- trunk/LayoutTests/fast/block/float/float-not-removed-from-pre-block-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/block/float/float-not-removed-from-pre-block-expected.txt 2012-11-28 22:46:59 UTC (rev 136060)
@@ -0,0 +1,3 @@
+Bug 101970: Heap-use-after-free in WebCore::RenderLayerModelObject::hasSelfPaintingLayer
+Test passes if it does not crash.
+
Added: trunk/LayoutTests/fast/block/float/float-not-removed-from-pre-block.html (0 => 136060)
--- trunk/LayoutTests/fast/block/float/float-not-removed-from-pre-block.html (rev 0)
+++ trunk/LayoutTests/fast/block/float/float-not-removed-from-pre-block.html 2012-11-28 22:46:59 UTC (rev 136060)
@@ -0,0 +1,26 @@
+<!DOCTYPE html>
+<html>
+Bug 101970: Heap-use-after-free in WebCore::RenderLayerModelObject::hasSelfPaintingLayer<br />
+Test passes if it does not crash.<br />
+<div id="container">
+ <q>
+ <q id="test1"></q>
+ </q>
+ <q id="test2">
+ <q style="float: left"></q>
+ <q id="test3">
+ <q style="position: fixed;">
+ </q>
+ </q>
+</div>
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+
+document.body.offsetTop;
+test3.style.display = "table-footer-group";
+test3.focus();
+test1.style.display = "table-row-group";
+test2.style.display = "inline-block";
+</script>
+</html>
Property changes on: trunk/LayoutTests/fast/block/float/float-not-removed-from-pre-block.html
___________________________________________________________________
Added: svn:executable
Modified: trunk/Source/WebCore/ChangeLog (136059 => 136060)
--- trunk/Source/WebCore/ChangeLog 2012-11-28 22:39:12 UTC (rev 136059)
+++ trunk/Source/WebCore/ChangeLog 2012-11-28 22:46:59 UTC (rev 136060)
@@ -1,3 +1,31 @@
+2012-11-28 Abhishek Arya <infe...@chromium.org>
+
+ Heap-use-after-free in WebCore::RenderLayerModelObject::hasSelfPaintingL
+ayer
+ https://bugs.webkit.org/show_bug.cgi?id=101970
+
+ Reviewed by David Hyatt.
+
+ RenderInline::splitFlow and RenderBlock::splitFlow re-use |pre|
+ block in some cases. In those cases, |pre| might hold floating objects
+ and those floating descendants might get moved to |post| block. If
+ the |pre| block does not get a layout later, then the floating
+ descendant will never get removed since it is now part of |post|
+ ancestor chain. We don't want failing-to-layout bugs turned into
+ security bugs and hence clear floating objects list since we expect
+ it to be rebuilt in subsequent layout.
+
+ Test: fast/block/float/float-not-removed-from-pre-block.html
+
+ * rendering/RenderBlock.cpp:
+ (WebCore::RenderBlock::splitFlow): Call removeFloatingObjects on |pre| block.
+ (WebCore::RenderBlock::removeFloatingObjects): Clear all floating objects from our list.
+ (WebCore):
+ * rendering/RenderBlock.h:
+ (RenderBlock):
+ * rendering/RenderInline.cpp:
+ (WebCore::RenderInline::splitFlow): Call removeFloatingObjects on |pre| block.
+
2012-11-28 Mark Pilgrim <pilg...@chromium.org>
[Chromium] Remove pluginsScriptableObject from PlatformSupport
Modified: trunk/Source/WebCore/rendering/RenderBlock.cpp (136059 => 136060)
--- trunk/Source/WebCore/rendering/RenderBlock.cpp 2012-11-28 22:39:12 UTC (rev 136059)
+++ trunk/Source/WebCore/rendering/RenderBlock.cpp 2012-11-28 22:46:59 UTC (rev 136060)
@@ -675,6 +675,7 @@
// We can reuse this block and make it the preBlock of the next continuation.
pre = block;
pre->removePositionedObjects(0);
+ pre->removeFloatingObjects();
block = toRenderBlock(block->parent());
} else {
// No anonymous block available for use. Make one.
@@ -3761,6 +3762,15 @@
removePositionedObject(deadObjects.at(i));
}
+void RenderBlock::removeFloatingObjects()
+{
+ if (!m_floatingObjects)
+ return;
+
+ deleteAllValues(m_floatingObjects->set());
+ m_floatingObjects->clear();
+}
+
RenderBlock::FloatingObject* RenderBlock::insertFloatingObject(RenderBox* o)
{
ASSERT(o->isFloating());
Modified: trunk/Source/WebCore/rendering/RenderBlock.h (136059 => 136060)
--- trunk/Source/WebCore/rendering/RenderBlock.h 2012-11-28 22:39:12 UTC (rev 136059)
+++ trunk/Source/WebCore/rendering/RenderBlock.h 2012-11-28 22:46:59 UTC (rev 136060)
@@ -117,6 +117,8 @@
static void removePositionedObject(RenderBox*);
void removePositionedObjects(RenderBlock*, ContainingBlockState = SameContainingBlock);
+ void removeFloatingObjects();
+
TrackedRendererListHashSet* positionedObjects() const;
bool hasPositionedObjects() const
{
Modified: trunk/Source/WebCore/rendering/RenderInline.cpp (136059 => 136060)
--- trunk/Source/WebCore/rendering/RenderInline.cpp 2012-11-28 22:39:12 UTC (rev 136059)
+++ trunk/Source/WebCore/rendering/RenderInline.cpp 2012-11-28 22:46:59 UTC (rev 136060)
@@ -455,6 +455,7 @@
// We can reuse this block and make it the preBlock of the next continuation.
pre = block;
pre->removePositionedObjects(0);
+ pre->removeFloatingObjects();
block = block->containingBlock();
} else {
// No anonymous block available for use. Make one.
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo/webkit-changes
