[webkit-changes] [145658] branches/safari-536.30-branch

Tue, 12 Mar 2013 18:24:41 -0700

Title: [145658] branches/safari-536.30-branch

Diff

Modified: branches/safari-536.30-branch/LayoutTests/ChangeLog (145657 => 145658)


--- branches/safari-536.30-branch/LayoutTests/ChangeLog	2013-03-13 01:25:00 UTC (rev 145657)
+++ branches/safari-536.30-branch/LayoutTests/ChangeLog	2013-03-13 01:26:39 UTC (rev 145658)
@@ -1,5 +1,22 @@
 2013-03-12  Lucas Forschler  <[email protected]>
 
+        Merge r139788
+
+    2013-01-15  Elliott Sprehn  <[email protected]>
+
+            Heap-use-after-free in WebCore::RenderObject::willBeRemovedFromTree
+            https://bugs.webkit.org/show_bug.cgi?id=106384
+
+            Reviewed by Abhishek Arya.
+
+            Add a test for <ruby> and generated content causing asserts and
+            crashes.
+
+            * fast/css-generated-content/bug-106384-expected.txt: Added.
+            * fast/css-generated-content/bug-106384.html: Added.
+
+2013-03-12  Lucas Forschler  <[email protected]>
+
         Merge r139457
 
     2013-01-11  Florin Malita  <[email protected]>

Copied: branches/safari-536.30-branch/LayoutTests/fast/css-generated-content/bug-106384-expected.txt (from rev 139788, trunk/LayoutTests/fast/css-generated-content/bug-106384-expected.txt) (0 => 145658)


--- branches/safari-536.30-branch/LayoutTests/fast/css-generated-content/bug-106384-expected.txt	                        (rev 0)
+++ branches/safari-536.30-branch/LayoutTests/fast/css-generated-content/bug-106384-expected.txt	2013-03-13 01:26:39 UTC (rev 145658)
@@ -0,0 +1,3 @@
+Bug 106384: Heap-use-after-free in WebCore::RenderObject::willBeRemovedFromTree.
+
+Passed if this test did not crash or assert.

Copied: branches/safari-536.30-branch/LayoutTests/fast/css-generated-content/bug-106384.html (from rev 139788, trunk/LayoutTests/fast/css-generated-content/bug-106384.html) (0 => 145658)


--- branches/safari-536.30-branch/LayoutTests/fast/css-generated-content/bug-106384.html	                        (rev 0)
+++ branches/safari-536.30-branch/LayoutTests/fast/css-generated-content/bug-106384.html	2013-03-13 01:26:39 UTC (rev 145658)
@@ -0,0 +1,25 @@
+<!DOCTYPE html>
+
+<style>
+ruby:after {
+    display: block;
+    content: "";
+}
+</style>
+
+<p>
+    Bug 106384: Heap-use-after-free in WebCore::RenderObject::willBeRemovedFromTree.
+</p>
+
+<script>
+if (window.testRunner)
+    testRunner.dumpAsText();
+
+_onload_ = function() {
+    var ruby = document.createElement('ruby');
+    document.body.appendChild(ruby);
+    // Cause a layout.
+    document.body.offsetLeft;
+    ruby.appendChild(document.createTextNode('Passed if this test did not crash or assert.'));
+};
+</script>

Modified: branches/safari-536.30-branch/Source/WebCore/ChangeLog (145657 => 145658)


--- branches/safari-536.30-branch/Source/WebCore/ChangeLog	2013-03-13 01:25:00 UTC (rev 145657)
+++ branches/safari-536.30-branch/Source/WebCore/ChangeLog	2013-03-13 01:26:39 UTC (rev 145658)
@@ -1,5 +1,28 @@
 2013-03-12  Lucas Forschler  <[email protected]>
 
+        Merge r139788
+
+    2013-01-15  Elliott Sprehn  <[email protected]>
+
+            Heap-use-after-free in WebCore::RenderObject::willBeRemovedFromTree
+            https://bugs.webkit.org/show_bug.cgi?id=106384
+
+            Reviewed by Abhishek Arya.
+
+            Always walk up from beforeChild until the parent() is the owner of the
+            child list, otherwise we can end up in situations where
+            newChild->parent() == owner but newChild->nextSibling()->parent() != owner
+            which is a recipe for security bugs. Previously we only walked up through
+            anonymous blocks, but missed anonymous inline blocks like those generated
+            by <ruby>.
+
+            Test: fast/css-generated-content/bug-106384.html
+
+            * rendering/RenderObjectChildList.cpp:
+            (WebCore::RenderObjectChildList::insertChildNode):
+
+2013-03-12  Lucas Forschler  <[email protected]>
+
         Merge r139551
 
     2013-01-12  Gavin Peters  <[email protected]>

Modified: branches/safari-536.30-branch/Source/WebCore/rendering/RenderObjectChildList.cpp (145657 => 145658)


--- branches/safari-536.30-branch/Source/WebCore/rendering/RenderObjectChildList.cpp	2013-03-13 01:25:00 UTC (rev 145657)
+++ branches/safari-536.30-branch/Source/WebCore/rendering/RenderObjectChildList.cpp	2013-03-13 01:26:39 UTC (rev 145658)
@@ -156,10 +156,17 @@
     }
 
     ASSERT(!child->parent());
-    while (beforeChild->parent() != owner && beforeChild->parent()->isAnonymousBlock())
+    while (beforeChild->parent() && beforeChild->parent() != owner)
         beforeChild = beforeChild->parent();
-    ASSERT(beforeChild->parent() == owner);
 
+    // This should never happen, but if it does prevent render tree corruption
+    // where child->parent() ends up being owner but child->nextSibling()->parent()
+    // is not owner.
+    if (beforeChild->parent() != owner) {
+        ASSERT_NOT_REACHED();
+        return;
+    }
+
     ASSERT(!owner->isBlockFlow() || (!child->isTableSection() && !child->isTableRow() && !child->isTableCell()));
 
     if (beforeChild == firstChild())

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to