Skip to site navigation (Press enter)

[webkit-changes] [136554] trunk

jchaffraix Tue, 04 Dec 2012 13:08:17 -0800

Title: [136554] trunk

Revision: 136554
Author: jchaffr...@webkit.org
Date: 2012-12-04 13:10:03 -0800 (Tue, 04 Dec 2012)

Log Message

Heap-use-after-free in WebCore::RenderLayer::paintList [MathML]
https://bugs.webkit.org/show_bug.cgi?id=100764


Reviewed by Eric Seidel.

Source/WebCore:

Test: mathml/mfenced-root-layer.html

* rendering/RenderLayer.cpp:
(WebCore::RenderLayer::stackingContext):
Fixed this function to ensure that it always returns a stacking context, the bug
was that the document element's layer wasn't guaranteed to be a stacking context.

LayoutTests:

* mathml/mfenced-root-layer-expected.txt: Added.
* mathml/mfenced-root-layer.html: Added.

Modified Paths

trunk/LayoutTests/ChangeLog
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/rendering/RenderLayer.cpp

Added Paths

trunk/LayoutTests/mathml/mfenced-root-layer-expected.txt
trunk/LayoutTests/mathml/mfenced-root-layer.html

Diff

Modified: trunk/LayoutTests/ChangeLog (136553 => 136554)


--- trunk/LayoutTests/ChangeLog	2012-12-04 21:07:45 UTC (rev 136553)
+++ trunk/LayoutTests/ChangeLog	2012-12-04 21:10:03 UTC (rev 136554)
@@ -1,3 +1,13 @@
+2012-12-04  Julien Chaffraix  <jchaffr...@webkit.org>
+
+        Heap-use-after-free in WebCore::RenderLayer::paintList [MathML]
+        https://bugs.webkit.org/show_bug.cgi?id=100764
+
+        Reviewed by Eric Seidel.
+
+        * mathml/mfenced-root-layer-expected.txt: Added.
+        * mathml/mfenced-root-layer.html: Added.
+
 2012-12-04  Roger Fong  <roger_f...@apple.com>
 
         Unreviewed gardening. Skip fast/loader/non-deferred-substitute-load.html on Windows port.

Added: trunk/LayoutTests/mathml/mfenced-root-layer-expected.txt (0 => 136554)


--- trunk/LayoutTests/mathml/mfenced-root-layer-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/mathml/mfenced-root-layer-expected.txt	2012-12-04 21:10:03 UTC (rev 136554)
@@ -0,0 +1,2 @@
+Bug 100764: Heap-use-after-free in WebCore::RenderLayer::paintList [MathML]
+This test passes if it does not crash.
Property changes on: trunk/LayoutTests/mathml/mfenced-root-layer-expected.txt
___________________________________________________________________

Added: svn:eol-style

Added: trunk/LayoutTests/mathml/mfenced-root-layer.html (0 => 136554)


--- trunk/LayoutTests/mathml/mfenced-root-layer.html	                        (rev 0)
+++ trunk/LayoutTests/mathml/mfenced-root-layer.html	2012-12-04 21:10:03 UTC (rev 136554)
@@ -0,0 +1,16 @@
+<!DOCTYPE html>
+<script>
+    if (window.testRunner)
+        testRunner.dumpAsText();
+
+    var mfenced = document.createElementNS("http://www.w3.org/1998/Math/MathML", "mfenced");
+
+    var docElt = document.documentElement;
+    docElt.parentNode.removeChild(docElt);
+
+    document.appendChild(mfenced);
+
+    var e = document.createElement("div");
+    e.innerHTML = "<a href=''>Bug 100764</a>: Heap-use-after-free in WebCore::RenderLayer::paintList [MathML]<br>This test passes if it does not crash.";
+    mfenced.appendChild(e);
+</script>
Property changes on: trunk/LayoutTests/mathml/mfenced-root-layer.html
___________________________________________________________________

Added: svn:eol-style

Modified: trunk/Source/WebCore/ChangeLog (136553 => 136554)


--- trunk/Source/WebCore/ChangeLog	2012-12-04 21:07:45 UTC (rev 136553)
+++ trunk/Source/WebCore/ChangeLog	2012-12-04 21:10:03 UTC (rev 136554)
@@ -1,3 +1,17 @@
+2012-12-04  Julien Chaffraix  <jchaffr...@webkit.org>
+
+        Heap-use-after-free in WebCore::RenderLayer::paintList [MathML]
+        https://bugs.webkit.org/show_bug.cgi?id=100764
+
+        Reviewed by Eric Seidel.
+
+        Test: mathml/mfenced-root-layer.html
+
+        * rendering/RenderLayer.cpp:
+        (WebCore::RenderLayer::stackingContext):
+        Fixed this function to ensure that it always returns a stacking context, the bug
+        was that the document element's layer wasn't guaranteed to be a stacking context.
+
 2012-12-04  Adam Barth  <aba...@webkit.org>
 
         [V8] GetNativeType in CodeGeneratorV8.pm needs a bath

Modified: trunk/Source/WebCore/rendering/RenderLayer.cpp (136553 => 136554)


--- trunk/Source/WebCore/rendering/RenderLayer.cpp	2012-12-04 21:07:45 UTC (rev 136553)
+++ trunk/Source/WebCore/rendering/RenderLayer.cpp	2012-12-04 21:10:03 UTC (rev 136554)
@@ -981,8 +981,10 @@
 RenderLayer* RenderLayer::stackingContext() const
 {
     RenderLayer* layer = parent();
-    while (layer && !layer->isRootLayer() && !layer->renderer()->isRoot() && layer->renderer()->style()->hasAutoZIndex())
+    while (layer && !layer->isStackingContext())
         layer = layer->parent();
+
+    ASSERT(!layer || layer->isStackingContext());
     return layer;
 }

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo/webkit-changes