[webkit-changes] [140435] trunk

Tue, 22 Jan 2013 10:15:52 -0800

Title: [140435] trunk
Revision
140435
Author
[email protected]
Date
2013-01-22 10:17:37 -0800 (Tue, 22 Jan 2013)

Log Message

Heap-use-after-free in WebCore::RenderObject::isDescendantOf
https://bugs.webkit.org/show_bug.cgi?id=107226

Reviewed by Emil A Eklund.

Source/WebCore:

Test: fast/block/float/overhanging-float-not-removed-crash.html

* rendering/RenderBox.cpp:
(WebCore::RenderBox::removeFloatingOrPositionedChildFromBlockLists):
Skip anonymous blocks in the chain to get the enclosing block and
be able to correctly mark the overhanging floats in the next siblings.

LayoutTests:

* fast/block/float/overhanging-float-not-removed-crash-expected.txt: Added.
* fast/block/float/overhanging-float-not-removed-crash.html: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (140434 => 140435)


--- trunk/LayoutTests/ChangeLog	2013-01-22 18:02:41 UTC (rev 140434)
+++ trunk/LayoutTests/ChangeLog	2013-01-22 18:17:37 UTC (rev 140435)
@@ -1,3 +1,13 @@
+2013-01-22  Abhishek Arya  <[email protected]>
+
+        Heap-use-after-free in WebCore::RenderObject::isDescendantOf
+        https://bugs.webkit.org/show_bug.cgi?id=107226
+
+        Reviewed by Emil A Eklund.
+
+        * fast/block/float/overhanging-float-not-removed-crash-expected.txt: Added.
+        * fast/block/float/overhanging-float-not-removed-crash.html: Added.
+
 2013-01-18  Stephen Chenney  <[email protected]>
 
         Asserts when textPath is used with no path

Added: trunk/LayoutTests/fast/block/float/overhanging-float-not-removed-crash-expected.txt (0 => 140435)


--- trunk/LayoutTests/fast/block/float/overhanging-float-not-removed-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/block/float/overhanging-float-not-removed-crash-expected.txt	2013-01-22 18:17:37 UTC (rev 140435)
@@ -0,0 +1,2 @@
+Bug 107226. Heap-use-after-free in WebCore::RenderObject::isDescendantOf.
+PASS. WebKit didn't crash

Added: trunk/LayoutTests/fast/block/float/overhanging-float-not-removed-crash.html (0 => 140435)


--- trunk/LayoutTests/fast/block/float/overhanging-float-not-removed-crash.html	                        (rev 0)
+++ trunk/LayoutTests/fast/block/float/overhanging-float-not-removed-crash.html	2013-01-22 18:17:37 UTC (rev 140435)
@@ -0,0 +1,33 @@
+<!DOCTYPE html>
+<html>
+<noembed id=test4></noembed>
+<h6 id=test3>
+<h3 id=test7></h3>
+<span id=tCF36>
+<math>
+<and>
+<equivalent>
+<csc id=test5 style="float: left; "> X6DDguzp|m_v c;</csc>
+<otherwise id=test1>
+</equivalent>
+</and>
+<cartesianproduct id=test2>#L    }|2pqynn</cartesianproduct>
+<factorial></factorial>
+<product id=test6>.
+</math>
+</span>
+</h6>
+<script>
+if (window.testRunner)
+    testRunner.dumpAsText();
+
+document.documentElement.offsetTop;
+test1.appendChild(test2);
+test2.appendChild(test3);
+document.documentElement.offsetTop;
+test4.appendChild(test5);
+test6.appendChild(test7);
+document.documentElement.offsetTop;
+document.documentElement.innerHTML = "Bug 107226. Heap-use-after-free in WebCore::RenderObject::isDescendantOf.<br />PASS. WebKit didn't crash";
+</script>
+</html>
Property changes on: trunk/LayoutTests/fast/block/float/overhanging-float-not-removed-crash.html
___________________________________________________________________

Added: svn:executable

Modified: trunk/Source/WebCore/ChangeLog (140434 => 140435)


--- trunk/Source/WebCore/ChangeLog	2013-01-22 18:02:41 UTC (rev 140434)
+++ trunk/Source/WebCore/ChangeLog	2013-01-22 18:17:37 UTC (rev 140435)
@@ -1,3 +1,17 @@
+2013-01-22  Abhishek Arya  <[email protected]>
+
+        Heap-use-after-free in WebCore::RenderObject::isDescendantOf
+        https://bugs.webkit.org/show_bug.cgi?id=107226
+
+        Reviewed by Emil A Eklund.
+
+        Test: fast/block/float/overhanging-float-not-removed-crash.html
+
+        * rendering/RenderBox.cpp:
+        (WebCore::RenderBox::removeFloatingOrPositionedChildFromBlockLists):
+        Skip anonymous blocks in the chain to get the enclosing block and
+        be able to correctly mark the overhanging floats in the next siblings.
+
 2013-01-22  Justin Schuh  <[email protected]>
 
         Silence MSVC 64-bit build warning c4309 for FrameTree::invalidCount

Modified: trunk/Source/WebCore/rendering/RenderBox.cpp (140434 => 140435)


--- trunk/Source/WebCore/rendering/RenderBox.cpp	2013-01-22 18:02:41 UTC (rev 140434)
+++ trunk/Source/WebCore/rendering/RenderBox.cpp	2013-01-22 18:17:37 UTC (rev 140435)
@@ -184,6 +184,15 @@
         }
 
         if (parentBlock) {
+            // Need to skip anonymous blocks in our ancestor chain since our overhanging floats
+            // can be in the next siblings of enclosing block.
+            while (parentBlock->isAnonymousBlock()) {
+                if (RenderBlock* containingBlock = parentBlock->containingBlock())
+                    parentBlock = containingBlock;
+                else
+                    break;
+            }
+
             RenderObject* parent = parentBlock->parent();
             if (parent && parent->isFlexibleBoxIncludingDeprecated())
                 parentBlock = toRenderBlock(parent);

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to