[webkit-changes] [89987] trunk

Tue, 28 Jun 2011 21:34:45 -0700

Title: [89987] trunk
Revision
89987
Author
[email protected]
Date
2011-06-28 21:34:38 -0700 (Tue, 28 Jun 2011)

Log Message

2011-06-28  Roland Steiner  <[email protected]>

        Reviewed by Eric Seidel.

        Bug 55930 - (CVE-2011-1440) Incorrect handling of 'display:' property within nested <ruby> tags
        https://bugs.webkit.org/show_bug.cgi?id=55930

        Test that a generated block child + counter within a <ruby> doesn't crash.
        (Test as provided by original reporter).

        * fast/ruby/generated-after-counter-doesnt-crash-expected.txt: Added.
        * fast/ruby/generated-after-counter-doesnt-crash.html: Added.
        * fast/ruby/generated-before-and-after-counter-doesnt-crash-expected.txt: Added.
        * fast/ruby/generated-before-and-after-counter-doesnt-crash.html: Added.
        * fast/ruby/generated-before-counter-doesnt-crash-expected.txt: Added.
        * fast/ruby/generated-before-counter-doesnt-crash.html: Added.
2011-06-28  Roland Steiner  <[email protected]>

        Reviewed by Eric Seidel.

        Bug 55930 - (CVE-2011-1440) Incorrect handling of 'display:' property within nested <ruby> tags
        https://bugs.webkit.org/show_bug.cgi?id=55930

        Don't set style type BEFORE/AFTER on anonymous wrapper block.
        Rather, check style type on generated wrapped child.

        Tests: fast/ruby/generated-after-counter-doesnt-crash.html
               fast/ruby/generated-before-and-after-counter-doesnt-crash.html
               fast/ruby/generated-before-counter-doesnt-crash.html

        * rendering/RenderRuby.cpp:
        (WebCore::isAnonymousRubyInlineBlock):
        (WebCore::isRubyBeforeBlock):
        (WebCore::isRubyAfterBlock):
        (WebCore::rubyBeforeBlock):
        (WebCore::rubyAfterBlock):
        (WebCore::createAnonymousRubyInlineBlock):
        (WebCore::RenderRubyAsInline::addChild):
        (WebCore::RenderRubyAsBlock::addChild):

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (89986 => 89987)


--- trunk/LayoutTests/ChangeLog	2011-06-29 03:18:58 UTC (rev 89986)
+++ trunk/LayoutTests/ChangeLog	2011-06-29 04:34:38 UTC (rev 89987)
@@ -1,3 +1,20 @@
+2011-06-28  Roland Steiner  <[email protected]>
+
+        Reviewed by Eric Seidel.
+
+        Bug 55930 - (CVE-2011-1440) Incorrect handling of 'display:' property within nested <ruby> tags
+        https://bugs.webkit.org/show_bug.cgi?id=55930
+
+        Test that a generated block child + counter within a <ruby> doesn't crash.
+        (Test as provided by original reporter).
+
+        * fast/ruby/generated-after-counter-doesnt-crash-expected.txt: Added.
+        * fast/ruby/generated-after-counter-doesnt-crash.html: Added.
+        * fast/ruby/generated-before-and-after-counter-doesnt-crash-expected.txt: Added.
+        * fast/ruby/generated-before-and-after-counter-doesnt-crash.html: Added.
+        * fast/ruby/generated-before-counter-doesnt-crash-expected.txt: Added.
+        * fast/ruby/generated-before-counter-doesnt-crash.html: Added.
+
 2011-06-28  Adam Langley  <[email protected]>
 
         Reviewed by Adam Barth.

Added: trunk/LayoutTests/fast/ruby/generated-after-counter-doesnt-crash-expected.txt (0 => 89987)


--- trunk/LayoutTests/fast/ruby/generated-after-counter-doesnt-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/ruby/generated-after-counter-doesnt-crash-expected.txt	2011-06-29 04:34:38 UTC (rev 89987)
@@ -0,0 +1,2 @@
+Blocked access to external URL http://XX/
+This test passes if it doesn't crash.

Added: trunk/LayoutTests/fast/ruby/generated-after-counter-doesnt-crash.html (0 => 89987)


--- trunk/LayoutTests/fast/ruby/generated-after-counter-doesnt-crash.html	                        (rev 0)
+++ trunk/LayoutTests/fast/ruby/generated-after-counter-doesnt-crash.html	2011-06-29 04:34:38 UTC (rev 89987)
@@ -0,0 +1,26 @@
+<html>
+<script>
+    if (window.layoutTestController)
+        layoutTestController.dumpAsText();
+</script>
+<style type="text/css">
+
+ruby:after{
+	counter-reset: g -2532653 K -48696899414062 ll -48202514648437 rr -1821899414062;
+}
+ruby::after{
+	display: table;
+	content: url("http://XX");
+}
+
+</style>
+	<ruby>
+		<ruby>
+			<ruby>
+<style type="text/css">
+ruby{
+	float: left;
+}
+</style>
+	<ruby>
+This test passes if it doesn't crash.

Added: trunk/LayoutTests/fast/ruby/generated-before-and-after-counter-doesnt-crash-expected.txt (0 => 89987)


--- trunk/LayoutTests/fast/ruby/generated-before-and-after-counter-doesnt-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/ruby/generated-before-and-after-counter-doesnt-crash-expected.txt	2011-06-29 04:34:38 UTC (rev 89987)
@@ -0,0 +1,3 @@
+Blocked access to external URL http://XX/
+Blocked access to external URL http://YY/
+This test passes if it doesn't crash.

Added: trunk/LayoutTests/fast/ruby/generated-before-and-after-counter-doesnt-crash.html (0 => 89987)


--- trunk/LayoutTests/fast/ruby/generated-before-and-after-counter-doesnt-crash.html	                        (rev 0)
+++ trunk/LayoutTests/fast/ruby/generated-before-and-after-counter-doesnt-crash.html	2011-06-29 04:34:38 UTC (rev 89987)
@@ -0,0 +1,33 @@
+<html>
+<script>
+    if (window.layoutTestController)
+        layoutTestController.dumpAsText();
+</script>
+<style type="text/css">
+
+ruby:before{
+	counter-reset: g -2532653 K -48696899414062 ll -48202514648437 rr -1821899414062;
+}
+ruby::before{
+	display: table;
+	content: url("http://XX");
+}
+ruby:after{
+	counter-reset: g -2532653 K -48696899414062 ll -48202514648437 rr -1821899414062;
+}
+ruby::after{
+	display: table;
+	content: url("http://YY");
+}
+
+</style>
+	<ruby>
+		<ruby>
+			<ruby>
+<style type="text/css">
+ruby{
+	float: left;
+}
+</style>
+	<ruby>
+This test passes if it doesn't crash.

Added: trunk/LayoutTests/fast/ruby/generated-before-counter-doesnt-crash-expected.txt (0 => 89987)


--- trunk/LayoutTests/fast/ruby/generated-before-counter-doesnt-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/ruby/generated-before-counter-doesnt-crash-expected.txt	2011-06-29 04:34:38 UTC (rev 89987)
@@ -0,0 +1,2 @@
+Blocked access to external URL http://XX/
+This test passes if it doesn't crash.

Added: trunk/LayoutTests/fast/ruby/generated-before-counter-doesnt-crash.html (0 => 89987)


--- trunk/LayoutTests/fast/ruby/generated-before-counter-doesnt-crash.html	                        (rev 0)
+++ trunk/LayoutTests/fast/ruby/generated-before-counter-doesnt-crash.html	2011-06-29 04:34:38 UTC (rev 89987)
@@ -0,0 +1,26 @@
+<html>
+<script>
+    if (window.layoutTestController)
+        layoutTestController.dumpAsText();
+</script>
+<style type="text/css">
+
+ruby:before{
+	counter-reset: g -2532653 K -48696899414062 ll -48202514648437 rr -1821899414062;
+}
+ruby::before{
+	display: table;
+	content: url("http://XX");
+}
+
+</style>
+	<ruby>
+		<ruby>
+			<ruby>
+<style type="text/css">
+ruby{
+	float: right;
+}
+</style>
+	<ruby>
+This test passes if it doesn't crash.

Modified: trunk/Source/WebCore/ChangeLog (89986 => 89987)


--- trunk/Source/WebCore/ChangeLog	2011-06-29 03:18:58 UTC (rev 89986)
+++ trunk/Source/WebCore/ChangeLog	2011-06-29 04:34:38 UTC (rev 89987)
@@ -1,3 +1,27 @@
+2011-06-28  Roland Steiner  <[email protected]>
+
+        Reviewed by Eric Seidel.
+
+        Bug 55930 - (CVE-2011-1440) Incorrect handling of 'display:' property within nested <ruby> tags
+        https://bugs.webkit.org/show_bug.cgi?id=55930
+
+        Don't set style type BEFORE/AFTER on anonymous wrapper block.
+        Rather, check style type on generated wrapped child.
+
+        Tests: fast/ruby/generated-after-counter-doesnt-crash.html
+               fast/ruby/generated-before-and-after-counter-doesnt-crash.html
+               fast/ruby/generated-before-counter-doesnt-crash.html
+
+        * rendering/RenderRuby.cpp:
+        (WebCore::isAnonymousRubyInlineBlock):
+        (WebCore::isRubyBeforeBlock):
+        (WebCore::isRubyAfterBlock):
+        (WebCore::rubyBeforeBlock):
+        (WebCore::rubyAfterBlock):
+        (WebCore::createAnonymousRubyInlineBlock):
+        (WebCore::RenderRubyAsInline::addChild):
+        (WebCore::RenderRubyAsBlock::addChild):
+
 2011-06-28  Emil A Eklund  <[email protected]>
 
         Reviewed by Eric Seidel.

Modified: trunk/Source/WebCore/rendering/RenderRuby.cpp (89986 => 89987)


--- trunk/Source/WebCore/rendering/RenderRuby.cpp	2011-06-29 03:18:58 UTC (rev 89986)
+++ trunk/Source/WebCore/rendering/RenderRuby.cpp	2011-06-29 04:34:38 UTC (rev 89987)
@@ -40,33 +40,53 @@
 
 //=== generic helper functions to avoid excessive code duplication ===
 
-static inline bool isAnonymousRubyInlineBlock(RenderObject* object)
+static inline bool isAnonymousRubyInlineBlock(const RenderObject* object)
 {
-    ASSERT(!object->parent()->isRuby()
+    ASSERT(!object
+        || !object->parent()->isRuby()
         || object->isRubyRun()
         || (object->isInline() && (object->isBeforeContent() || object->isAfterContent()))
         || (object->isAnonymous() && object->isRenderBlock() && object->style()->display() == INLINE_BLOCK));
-    return object->parent()->isRuby() && object->isRenderBlock() && !object->isRubyRun();
+
+    return object
+        && object->parent()->isRuby()
+        && object->isRenderBlock()
+        && !object->isRubyRun();
 }
 
+static inline bool isRubyBeforeBlock(const RenderObject* object)
+{
+    return isAnonymousRubyInlineBlock(object)
+        && !object->previousSibling()
+        && object->firstChild()
+        && object->firstChild()->style()->styleType() == BEFORE;
+}
+
+static inline bool isRubyAfterBlock(const RenderObject* object)
+{
+    return isAnonymousRubyInlineBlock(object)
+        && !object->nextSibling()
+        && object->firstChild()
+        && object->firstChild()->style()->styleType() == AFTER;
+}
+
 static inline RenderBlock* rubyBeforeBlock(const RenderObject* ruby)
 {
     RenderObject* child = ruby->firstChild();
-    return child && !child->isRubyRun() && child->isRenderBlock() && child->style()->styleType() == BEFORE ? toRenderBlock(child) : 0;
+    return isRubyBeforeBlock(child) ? static_cast<RenderBlock*>(child) : 0;
 }
 
 static inline RenderBlock* rubyAfterBlock(const RenderObject* ruby)
 {
     RenderObject* child = ruby->lastChild();
-    return child && !child->isRubyRun() && child->isRenderBlock() && child->style()->styleType() == AFTER ? toRenderBlock(child) : 0;
+    return isRubyAfterBlock(child) ? static_cast<RenderBlock*>(child) : 0;
 }
 
-static RenderBlock* createAnonymousRubyInlineBlock(RenderObject* ruby, PseudoId styleType)
+static RenderBlock* createAnonymousRubyInlineBlock(RenderObject* ruby)
 {
     RefPtr<RenderStyle> newStyle = RenderStyle::createAnonymousStyle(ruby->style());
     newStyle->setDisplay(INLINE_BLOCK);
-    newStyle->setStyleType(styleType);
-    
+
     RenderBlock* newBlock = new (ruby->renderArena()) RenderBlock(ruby->document() /* anonymous box */);
     newBlock->setStyle(newStyle.release());
     return newBlock;
@@ -78,14 +98,14 @@
     if (child && !child->isRubyRun())
         child = child->previousSibling();
     ASSERT(!child || child->isRubyRun() || child->isBeforeContent() || child == rubyBeforeBlock(ruby));
-    return child && child->isRubyRun() ? toRenderRubyRun(child) : 0;
+    return child && child->isRubyRun() ? static_cast<RenderRubyRun*>(child) : 0;
 }
 
 static inline RenderRubyRun* findRubyRunParent(RenderObject* child)
 {
     while (child && !child->isRubyRun())
         child = child->parent();
-    return toRenderRubyRun(child);
+    return static_cast<RenderRubyRun*>(child);
 }
 
 //=== ruby as inline object ===
@@ -110,7 +130,7 @@
             // Wrap non-inline content with an anonymous inline-block.
             RenderBlock* beforeBlock = rubyBeforeBlock(this);
             if (!beforeBlock) {
-                beforeBlock = createAnonymousRubyInlineBlock(this, BEFORE);
+                beforeBlock = createAnonymousRubyInlineBlock(this);
                 RenderInline::addChild(beforeBlock, firstChild());
             }
             beforeBlock->addChild(child);
@@ -125,7 +145,7 @@
             // Wrap non-inline content with an anonymous inline-block.
             RenderBlock* afterBlock = rubyAfterBlock(this);
             if (!afterBlock) {
-                afterBlock = createAnonymousRubyInlineBlock(this, AFTER);
+                afterBlock = createAnonymousRubyInlineBlock(this);
                 RenderInline::addChild(afterBlock);
             }
             afterBlock->addChild(child);
@@ -211,7 +231,7 @@
             // Wrap non-inline content with an anonymous inline-block.
             RenderBlock* beforeBlock = rubyBeforeBlock(this);
             if (!beforeBlock) {
-                beforeBlock = createAnonymousRubyInlineBlock(this, BEFORE);
+                beforeBlock = createAnonymousRubyInlineBlock(this);
                 RenderBlock::addChild(beforeBlock, firstChild());
             }
             beforeBlock->addChild(child);
@@ -226,7 +246,7 @@
             // Wrap non-inline content with an anonymous inline-block.
             RenderBlock* afterBlock = rubyAfterBlock(this);
             if (!afterBlock) {
-                afterBlock = createAnonymousRubyInlineBlock(this, AFTER);
+                afterBlock = createAnonymousRubyInlineBlock(this);
                 RenderBlock::addChild(afterBlock);
             }
             afterBlock->addChild(child);

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes

Reply via email to