[webkit-changes] [149641] trunk

Mon, 06 May 2013 14:16:48 -0700

Title: [149641] trunk
Revision
149641
Author
[email protected]
Date
2013-05-06 14:18:30 -0700 (Mon, 06 May 2013)

Log Message

Heap-use-after-free in WebCore::InlineFlowBox::deleteLine
https://bugs.webkit.org/show_bug.cgi?id=114772

Patch by Bem Jones-Bey <[email protected]> on 2013-05-06
Reviewed by David Hyatt.

Source/WebCore:

Fix the new use after free issues in Ruby.

Test: fast/ruby/ruby-svg-crash.html

* rendering/RenderRubyRun.cpp:
(WebCore::RenderRubyRun::removeChild):

LayoutTests:

Test case generated by the fuzzer. Will only crash when run in a
vulnerable configuration with a memory checking lib enabled.

* fast/ruby/ruby-svg-crash-expected.txt: Added.
* fast/ruby/ruby-svg-crash.html: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (149640 => 149641)


--- trunk/LayoutTests/ChangeLog	2013-05-06 21:16:42 UTC (rev 149640)
+++ trunk/LayoutTests/ChangeLog	2013-05-06 21:18:30 UTC (rev 149641)
@@ -1,3 +1,16 @@
+2013-05-06  Bem Jones-Bey  <[email protected]>
+
+        Heap-use-after-free in WebCore::InlineFlowBox::deleteLine
+        https://bugs.webkit.org/show_bug.cgi?id=114772
+
+        Reviewed by David Hyatt.
+
+        Test case generated by the fuzzer. Will only crash when run in a
+        vulnerable configuration with a memory checking lib enabled.
+
+        * fast/ruby/ruby-svg-crash-expected.txt: Added.
+        * fast/ruby/ruby-svg-crash.html: Added.
+
 2013-05-06  Robert Hogan  <[email protected]>
 
         REGRESSION(r140024): child of fixed div inside of absolute div does not get resized when window is resized

Added: trunk/LayoutTests/fast/ruby/ruby-svg-crash-expected.txt (0 => 149641)


--- trunk/LayoutTests/fast/ruby/ruby-svg-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/ruby/ruby-svg-crash-expected.txt	2013-05-06 21:18:30 UTC (rev 149641)
@@ -0,0 +1 @@
+This succeeds if this test doesn't crash.

Added: trunk/LayoutTests/fast/ruby/ruby-svg-crash.html (0 => 149641)


--- trunk/LayoutTests/fast/ruby/ruby-svg-crash.html	                        (rev 0)
+++ trunk/LayoutTests/fast/ruby/ruby-svg-crash.html	2013-05-06 21:18:30 UTC (rev 149641)
@@ -0,0 +1,27 @@
+This succeeds if this test doesn't crash.
+<ruby id=rubyEl><dl></dl><rt id=rubyTextEl></rt>><script>
+var docElement = document.body ? document.body : document.documentElement;
+function initCF() {
+try { fontFaceNameEl = document.createElementNS("http://www.w3.org/2000/svg", "font-face-name"); } catch(e) {}
+try { clipPathEl = document.createElementNS("http://www.w3.org/2000/svg", "clipPath"); } catch(e) {}
+setTimeout("CFcrash()", 0);
+}
+document.addEventListener("DOMContentLoaded", initCF, false);
+function CFcrash() {
+try { if (rubyTextEl != docElement) { rubyTextEl.parentNode.removeChild(rubyTextEl); }} catch(e) {}
+try { clipPathEl.scrollIntoView(true); } catch(e) {}
+try { fontFaceNameEl.appendChild(rubyEl); } catch(e) {}
+}
+function runTest()
+{
+    if (window.testRunner)
+        testRunner.notifyDone();
+}
+
+if (window.testRunner) {
+    testRunner.dumpAsText();
+    testRunner.waitUntilDone();
+}
+
+setTimeout("runTest()", 10);
+</script>

Modified: trunk/Source/WebCore/ChangeLog (149640 => 149641)


--- trunk/Source/WebCore/ChangeLog	2013-05-06 21:16:42 UTC (rev 149640)
+++ trunk/Source/WebCore/ChangeLog	2013-05-06 21:18:30 UTC (rev 149641)
@@ -1,3 +1,17 @@
+2013-05-06  Bem Jones-Bey  <[email protected]>
+
+        Heap-use-after-free in WebCore::InlineFlowBox::deleteLine
+        https://bugs.webkit.org/show_bug.cgi?id=114772
+
+        Reviewed by David Hyatt.
+
+        Fix the new use after free issues in Ruby.
+
+        Test: fast/ruby/ruby-svg-crash.html
+
+        * rendering/RenderRubyRun.cpp:
+        (WebCore::RenderRubyRun::removeChild):
+
 2013-05-06  Robert Hogan  <[email protected]>
 
         REGRESSION(r140024): child of fixed div inside of absolute div does not get resized when window is resized

Modified: trunk/Source/WebCore/rendering/RenderRubyRun.cpp (149640 => 149641)


--- trunk/Source/WebCore/rendering/RenderRubyRun.cpp	2013-05-06 21:16:42 UTC (rev 149640)
+++ trunk/Source/WebCore/rendering/RenderRubyRun.cpp	2013-05-06 21:18:30 UTC (rev 149641)
@@ -167,17 +167,13 @@
             // Ruby run without a base can happen only at the first run.
             RenderRubyRun* rightRun = toRenderRubyRun(rightNeighbour);
             if (rightRun->hasRubyBase()) {
-                RenderRubyBase* rightBase = rightRun->rubyBase();
-                if (!rightBase)
-                    moveChildTo(rightRun, base);
-                else {
-                    // We need to preserve child order, so we have to append the 
-                    // rightBase's children to base, and then put them back.
-                    rightBase->moveChildren(base);
-                    base->moveChildren(rightBase);
-                }
+                RenderRubyBase* rightBase = rightRun->rubyBaseSafe();
+                // Collect all children in a single base, then swap the bases.
+                rightBase->moveChildren(base);
+                moveChildTo(rightRun, base);
+                rightRun->moveChildTo(this, rightBase);
                 // The now empty ruby base will be removed below.
-                ASSERT(!rubyBase() || !rubyBase()->firstChild());
+                ASSERT(!rubyBase()->firstChild());
             }
         }
     }

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to