[webkit-changes] [147765] trunk

Fri, 05 Apr 2013 11:11:25 -0700

Title: [147765] trunk
Revision
147765
Author
[email protected]
Date
2013-04-05 11:13:17 -0700 (Fri, 05 Apr 2013)

Log Message

[regression] Security: Heap-use-after-free in WebCore::RenderBlock::logicalRightOffsetForLine
https://bugs.webkit.org/show_bug.cgi?id=111594

Patch by Bem Jones-Bey <[email protected]> on 2013-04-05
Reviewed by David Hyatt.

Source/WebCore: 

Swapping the bases was causing any floats in the right base to be
lost, so change the code so that it no longer swaps the bases.

Test: fast/ruby/float-object-doesnt-crash.html

* rendering/RenderRubyRun.cpp:
(WebCore::RenderRubyRun::removeChild): Don't swap the bases anymore.

LayoutTests: 

Add test to verify that the use-after-free is fixed. Note that it will
only crash when run under a memory checking tool like ASAN.

* fast/ruby/float-object-doesnt-crash-expected.txt: Added.
* fast/ruby/float-object-doesnt-crash.html: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (147764 => 147765)


--- trunk/LayoutTests/ChangeLog	2013-04-05 18:03:35 UTC (rev 147764)
+++ trunk/LayoutTests/ChangeLog	2013-04-05 18:13:17 UTC (rev 147765)
@@ -1,3 +1,16 @@
+2013-04-05  Bem Jones-Bey  <[email protected]>
+
+        [regression] Security: Heap-use-after-free in WebCore::RenderBlock::logicalRightOffsetForLine
+        https://bugs.webkit.org/show_bug.cgi?id=111594
+
+        Reviewed by David Hyatt.
+
+        Add test to verify that the use-after-free is fixed. Note that it will
+        only crash when run under a memory checking tool like ASAN.
+
+        * fast/ruby/float-object-doesnt-crash-expected.txt: Added.
+        * fast/ruby/float-object-doesnt-crash.html: Added.
+
 2013-04-05  Bear Travis  <[email protected]>
 
         [css exclusions] Dynamically removing shape-inside should cause relayout of child blocks' inline content

Added: trunk/LayoutTests/fast/ruby/float-object-doesnt-crash-expected.txt (0 => 147765)


--- trunk/LayoutTests/fast/ruby/float-object-doesnt-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/ruby/float-object-doesnt-crash-expected.txt	2013-04-05 18:13:17 UTC (rev 147765)
@@ -0,0 +1,5 @@
+Test passes if it does not crash when run with memory checking for use-after-free.
+|
+>
+
+

Added: trunk/LayoutTests/fast/ruby/float-object-doesnt-crash.html (0 => 147765)


--- trunk/LayoutTests/fast/ruby/float-object-doesnt-crash.html	                        (rev 0)
+++ trunk/LayoutTests/fast/ruby/float-object-doesnt-crash.html	2013-04-05 18:13:17 UTC (rev 147765)
@@ -0,0 +1,16 @@
+<!DOCTYPE html>
+<html>
+<body>
+Test passes if it does not crash when run with memory checking for use-after-free.
+
+<summary><ruby>|<rt></rt>
+<h1><object align="right" ></object>
+><img border="947352079px"><ul style="padding:105392887px 0% inherit 0px; "></h1>
+</ruby>
+<keygen autofocus="Tm" ><object></object>
+<script>
+if (window.testRunner) {
+    testRunner.dumpAsText();
+}
+</script>
+</body>

Modified: trunk/Source/WebCore/ChangeLog (147764 => 147765)


--- trunk/Source/WebCore/ChangeLog	2013-04-05 18:03:35 UTC (rev 147764)
+++ trunk/Source/WebCore/ChangeLog	2013-04-05 18:13:17 UTC (rev 147765)
@@ -1,3 +1,18 @@
+2013-04-05  Bem Jones-Bey  <[email protected]>
+
+        [regression] Security: Heap-use-after-free in WebCore::RenderBlock::logicalRightOffsetForLine
+        https://bugs.webkit.org/show_bug.cgi?id=111594
+
+        Reviewed by David Hyatt.
+
+        Swapping the bases was causing any floats in the right base to be
+        lost, so change the code so that it no longer swaps the bases.
+
+        Test: fast/ruby/float-object-doesnt-crash.html
+
+        * rendering/RenderRubyRun.cpp:
+        (WebCore::RenderRubyRun::removeChild): Don't swap the bases anymore.
+
 2013-04-05  Anders Carlsson  <[email protected]>
 
         Remove dead code

Modified: trunk/Source/WebCore/rendering/RenderRubyRun.cpp (147764 => 147765)


--- trunk/Source/WebCore/rendering/RenderRubyRun.cpp	2013-04-05 18:03:35 UTC (rev 147764)
+++ trunk/Source/WebCore/rendering/RenderRubyRun.cpp	2013-04-05 18:13:17 UTC (rev 147765)
@@ -166,13 +166,17 @@
             // Ruby run without a base can happen only at the first run.
             RenderRubyRun* rightRun = toRenderRubyRun(rightNeighbour);
             if (rightRun->hasRubyBase()) {
-                RenderRubyBase* rightBase = rightRun->rubyBaseSafe();
-                // Collect all children in a single base, then swap the bases.
-                rightBase->moveChildren(base);
-                moveChildTo(rightRun, base);
-                rightRun->moveChildTo(this, rightBase);
+                RenderRubyBase* rightBase = rightRun->rubyBase();
+                if (!rightBase)
+                    moveChildTo(rightRun, base);
+                else {
+                    // We need to preserve child order, so we have to append the 
+                    // rightBase's children to base, and then put them back.
+                    rightBase->moveChildren(base);
+                    base->moveChildren(rightBase);
+                }
                 // The now empty ruby base will be removed below.
-                ASSERT(!rubyBase()->firstChild());
+                ASSERT(!rubyBase() || !rubyBase()->firstChild());
             }
         }
     }

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to