[webkit-changes] [160957] trunk/Source/WebCore

Fri, 20 Dec 2013 19:47:39 -0800

Title: [160957] trunk/Source/WebCore
Revision
160957
Author
[email protected]
Date
2013-12-20 19:50:12 -0800 (Fri, 20 Dec 2013)

Log Message

Assert that RootInlineBox::setLineBreakInfo should is never called on a RenderInline without line boxes
https://bugs.webkit.org/show_bug.cgi?id=126101

Reviewed by Simon Fraser.

Merge assertions added in https://chromium.googlesource.com/chromium/blink/+/716ac74fd475b581d69c0aa8ec2d806201c3a420

The code change was not merged since we never hit the added assertion on the attached test case in WebKit.

* rendering/RootInlineBox.cpp:
(WebCore::RootInlineBox::setLineBreakInfo):

Modified Paths

Diff

Modified: trunk/Source/WebCore/ChangeLog (160956 => 160957)


--- trunk/Source/WebCore/ChangeLog	2013-12-21 02:48:50 UTC (rev 160956)
+++ trunk/Source/WebCore/ChangeLog	2013-12-21 03:50:12 UTC (rev 160957)
@@ -1,3 +1,17 @@
+2013-12-20  Ryosuke Niwa  <[email protected]>
+
+        Assert that RootInlineBox::setLineBreakInfo should is never called on a RenderInline without line boxes
+        https://bugs.webkit.org/show_bug.cgi?id=126101
+
+        Reviewed by Simon Fraser.
+
+        Merge assertions added in https://chromium.googlesource.com/chromium/blink/+/716ac74fd475b581d69c0aa8ec2d806201c3a420
+
+        The code change was not merged since we never hit the added assertion on the attached test case in WebKit.
+
+        * rendering/RootInlineBox.cpp:
+        (WebCore::RootInlineBox::setLineBreakInfo):
+
 2013-12-20  Joseph Pecoraro  <[email protected]>
 
         Web Inspector: Remove the references to Node in InjectedScript

Modified: trunk/Source/WebCore/rendering/RootInlineBox.cpp (160956 => 160957)


--- trunk/Source/WebCore/rendering/RootInlineBox.cpp	2013-12-21 02:48:50 UTC (rev 160956)
+++ trunk/Source/WebCore/rendering/RootInlineBox.cpp	2013-12-21 03:50:12 UTC (rev 160957)
@@ -748,6 +748,13 @@
 
 void RootInlineBox::setLineBreakInfo(RenderObject* obj, unsigned breakPos, const BidiStatus& status)
 {
+    // When setting lineBreakObj, the RenderObject must not be a RenderInline
+    // with no line boxes, otherwise all sorts of invariants are broken later.
+    // This has security implications because if the RenderObject does not
+    // point to at least one line box, then that RenderInline can be deleted
+    // later without resetting the lineBreakObj, leading to use-after-free.
+    ASSERT_WITH_SECURITY_IMPLICATION(!obj || obj->isText() || !(obj->isRenderInline() && obj->isBox() && !toRenderBox(obj)->inlineBoxWrapper()));
+
     m_lineBreakObj = obj;
     m_lineBreakPos = breakPos;
     m_lineBreakBidiStatusEor = status.eor;

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to