Title: [138988] trunk
- Revision
- 138988
- Author
- [email protected]
- Date
- 2013-01-07 14:07:45 -0800 (Mon, 07 Jan 2013)
Log Message
Heap-buffer-overflow in WebCore::RenderBlock::clone.
https://bugs.webkit.org/show_bug.cgi?id=101984
Reviewed by Julien Chaffraix.
Source/WebCore:
Add a global in RenderBlock to prevent recursion inside splitFlow.
While inside splitFlow (multi-column handling), we move many children
using fullRemoveInsert=true, causing RenderBlock::addChild to be called
and recursing in splitFlow. This messes the tree splitting happening in
RenderBlock::splitBlocks and can cause bad casts.
Test: fast/multicol/recursive-split-flow-crash.html
* rendering/RenderBlock.cpp:
(WebCore::RenderBlock::addChildIgnoringAnonymousColumnBlocks):
LayoutTests:
* fast/multicol/recursive-split-flow-crash-expected.txt: Added.
* fast/multicol/recursive-split-flow-crash.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (138987 => 138988)
--- trunk/LayoutTests/ChangeLog 2013-01-07 22:05:33 UTC (rev 138987)
+++ trunk/LayoutTests/ChangeLog 2013-01-07 22:07:45 UTC (rev 138988)
@@ -1,3 +1,13 @@
+2013-01-07 Abhishek Arya <[email protected]>
+
+ Heap-buffer-overflow in WebCore::RenderBlock::clone.
+ https://bugs.webkit.org/show_bug.cgi?id=101984
+
+ Reviewed by Julien Chaffraix.
+
+ * fast/multicol/recursive-split-flow-crash-expected.txt: Added.
+ * fast/multicol/recursive-split-flow-crash.html: Added.
+
2013-01-07 Enrica Casucci <[email protected]>
Some characters are not rotated properly in vertical text
Added: trunk/LayoutTests/fast/multicol/recursive-split-flow-crash-expected.txt (0 => 138988)
--- trunk/LayoutTests/fast/multicol/recursive-split-flow-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/multicol/recursive-split-flow-crash-expected.txt 2013-01-07 22:07:45 UTC (rev 138988)
@@ -0,0 +1,3 @@
+Bug 101984: Heap-buffer-overflow in WebCore::RenderBlock::clone.
+Test passes if it does not crash.
+
Added: trunk/LayoutTests/fast/multicol/recursive-split-flow-crash.html (0 => 138988)
--- trunk/LayoutTests/fast/multicol/recursive-split-flow-crash.html (rev 0)
+++ trunk/LayoutTests/fast/multicol/recursive-split-flow-crash.html 2013-01-07 22:07:45 UTC (rev 138988)
@@ -0,0 +1,34 @@
+<!DOCTYPE html>
+<html>
+Bug 101984: Heap-buffer-overflow in WebCore::RenderBlock::clone.<br />
+Test passes if it does not crash.
+<body>
+<table>
+<div class="container">
+<div class="testClass" id="test1">
+</div>
+<div class="testClass">
+<div>
+<i id="test2"></i>
+</div>
+</div>
+</div>
+</table>
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+
+document.head.appendChild(document.createElement("style"));
+var styleSheet0 = document.styleSheets[0];
+var test1 = document.getElementById("test1");
+var test2 = document.getElementById("test2");
+
+
+document.execCommand("SelectAll", true);
+styleSheet0.insertRule('.testClass { -webkit-column-span: all ; }', 0);
+test1.appendChild(test2);
+styleSheet0.insertRule('.testClass::first-letter { border-style: none; }', 0);
+styleSheet0.insertRule('.container { -webkit-column-axis: vertical; }', 0);
+</script>
+</body>
+</html>
\ No newline at end of file
Property changes on: trunk/LayoutTests/fast/multicol/recursive-split-flow-crash.html
___________________________________________________________________
Added: svn:executable
Modified: trunk/Source/WebCore/ChangeLog (138987 => 138988)
--- trunk/Source/WebCore/ChangeLog 2013-01-07 22:05:33 UTC (rev 138987)
+++ trunk/Source/WebCore/ChangeLog 2013-01-07 22:07:45 UTC (rev 138988)
@@ -1,3 +1,21 @@
+2013-01-07 Abhishek Arya <[email protected]>
+
+ Heap-buffer-overflow in WebCore::RenderBlock::clone.
+ https://bugs.webkit.org/show_bug.cgi?id=101984
+
+ Reviewed by Julien Chaffraix.
+
+ Add a global in RenderBlock to prevent recursion inside splitFlow.
+ While inside splitFlow (multi-column handling), we move many children
+ using fullRemoveInsert=true, causing RenderBlock::addChild to be called
+ and recursing in splitFlow. This messes the tree splitting happening in
+ RenderBlock::splitBlocks and can cause bad casts.
+
+ Test: fast/multicol/recursive-split-flow-crash.html
+
+ * rendering/RenderBlock.cpp:
+ (WebCore::RenderBlock::addChildIgnoringAnonymousColumnBlocks):
+
2013-01-07 Alok Priyadarshi <[email protected]>
[chromium] Fix PlatformContextSkia::setDrawingToImageBuffer abuse
Modified: trunk/Source/WebCore/rendering/RenderBlock.cpp (138987 => 138988)
--- trunk/Source/WebCore/rendering/RenderBlock.cpp 2013-01-07 22:05:33 UTC (rev 138987)
+++ trunk/Source/WebCore/rendering/RenderBlock.cpp 2013-01-07 22:07:45 UTC (rev 138988)
@@ -70,6 +70,7 @@
#include <wtf/MemoryInstrumentationHashMap.h>
#include <wtf/MemoryInstrumentationHashSet.h>
#include <wtf/MemoryInstrumentationListHashSet.h>
+#include <wtf/TemporaryChange.h>
using namespace std;
using namespace WTF;
@@ -117,6 +118,8 @@
static int gDelayUpdateScrollInfo = 0;
static DelayedUpdateScrollInfoSet* gDelayedUpdateScrollInfoSet = 0;
+static bool gIsInColumnFlowSplit = false;
+
bool RenderBlock::s_canPropagateFloatIntoSibling = false;
// This class helps dispatching the 'overflow' event on layout change. overflow can be set on RenderBoxes, yet the existing code
@@ -829,30 +832,33 @@
beforeChild = beforeChild->nextSibling();
// Check for a spanning element in columns.
- RenderBlock* columnsBlockAncestor = columnsBlockForSpanningElement(newChild);
- if (columnsBlockAncestor) {
- // We are placing a column-span element inside a block.
- RenderBlock* newBox = createAnonymousColumnSpanBlock();
+ if (!gIsInColumnFlowSplit) {
+ RenderBlock* columnsBlockAncestor = columnsBlockForSpanningElement(newChild);
+ if (columnsBlockAncestor) {
+ TemporaryChange<bool> isInColumnFlowSplit(gIsInColumnFlowSplit, true);
+ // We are placing a column-span element inside a block.
+ RenderBlock* newBox = createAnonymousColumnSpanBlock();
- if (columnsBlockAncestor != this) {
- // We are nested inside a multi-column element and are being split by the span. We have to break up
- // our block into continuations.
- RenderBoxModelObject* oldContinuation = continuation();
+ if (columnsBlockAncestor != this) {
+ // We are nested inside a multi-column element and are being split by the span. We have to break up
+ // our block into continuations.
+ RenderBoxModelObject* oldContinuation = continuation();
- // When we split an anonymous block, there's no need to do any continuation hookup,
- // since we haven't actually split a real element.
- if (!isAnonymousBlock())
- setContinuation(newBox);
+ // When we split an anonymous block, there's no need to do any continuation hookup,
+ // since we haven't actually split a real element.
+ if (!isAnonymousBlock())
+ setContinuation(newBox);
- splitFlow(beforeChild, newBox, newChild, oldContinuation);
+ splitFlow(beforeChild, newBox, newChild, oldContinuation);
+ return;
+ }
+
+ // We have to perform a split of this block's children. This involves creating an anonymous block box to hold
+ // the column-spanning |newChild|. We take all of the children from before |newChild| and put them into
+ // one anonymous columns block, and all of the children after |newChild| go into another anonymous block.
+ makeChildrenAnonymousColumnBlocks(beforeChild, newBox, newChild);
return;
}
-
- // We have to perform a split of this block's children. This involves creating an anonymous block box to hold
- // the column-spanning |newChild|. We take all of the children from before |newChild| and put them into
- // one anonymous columns block, and all of the children after |newChild| go into another anonymous block.
- makeChildrenAnonymousColumnBlocks(beforeChild, newBox, newChild);
- return;
}
bool madeBoxesNonInline = false;
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo/webkit-changes
